Value Chain and Component Integration
Non-transparent or untraceable integration of upstream third-party components, including data that has been improperly obtained or not processed and cleaned due to increased automation from GAI; improper supplier vetting across the AI lifecycle; or other issues that diminish transparency or accountability for downstream users.
ENTITY
1 - Human
INTENT
2 - Unintentional
TIMING
1 - Pre-deployment
Risk ID
mit767
Domain lineage
7. AI System Safety, Failures, & Limitations
7.4 > Lack of transparency or interpretability
Mitigation strategy
1. Institute a mandatory, comprehensive AI Supplier Risk Management (SRM) and due diligence framework. This framework must require contractual agreements that explicitly define security standards, data provenance expectations, and audit rights, as well as pre-assessment of third-party models for adherence to fairness and explainability criteria prior to integration. 2. Establish and maintain an immutable, end-to-end data and component lineage system. This system must document all data acquisition (including proper consent/licensing validation), preprocessing steps (e.g., cleaning, de-identification), and the specific versioning of all integrated third-party code and model components, ensuring full traceability from source to final system output. 3. Execute rigorous pre-deployment technical validation protocols, including independent third-party audits and adversarial testing (e.g., 'red teaming'). This activity is critical to verify that the integrated system's behavior aligns with safety and compliance objectives, specifically confirming the mitigation of latent bias or data-related quality issues amplified by automated GAI processes.