Vendor Risk Assessment

What this means in practice

The assessment examines data practices (how the vendor handles your data), model transparency (visibility into model training, capabilities, and limitations), service level commitments (uptime, performance, and support guarantees), incident response capabilities (how the vendor handles failures), regulatory compliance posture (whether the vendor meets applicable regulations), and contractual protections (liability, data ownership, exit provisions). Vendor risk assessment is particularly critical for organizations using LLMs from external providers, where limited visibility into training data and model behavior creates dependency risks. In the COMPEL framework, vendor risk assessment is a mandatory Model-stage artifact (TMPL-M-006).

Why it matters

Vendor risk assessment is particularly critical for organizations using external LLMs, where limited visibility into training data and model behavior creates dependency risks. The assessment examines data practices, model transparency, service levels, incident response, regulatory compliance, and contractual protections. Without thorough vendor risk assessment, organizations depend on AI systems they cannot fully understand, audit, or control.

How COMPEL uses it

Vendor risk assessment is a mandatory Model-stage artifact (TMPL-M-006) that evaluates governance risks from all third-party AI components. The Governance pillar integrates vendor risk into the enterprise risk register. The Evaluate stage monitors vendor performance against SLAs and risk commitments. The Calibrate stage reassesses vendor risk in each COMPEL cycle as vendor capabilities and the regulatory landscape evolve.

Related Terms

Other glossary terms mentioned in this entry's definition and context.

• Artifact
• Calibrate Stage
• COMPEL Cycle
• COMPEL Framework
• Compliance Posture
• Evaluate Stage
• Foundation Model
• Incident Response
• Labeling
• Model Stage
• Regulatory Compliance
• Risk Register