← All topics

Vendor Risk

AI vendor and third-party risk: due diligence, concentration risk, and the questions to ask before you trust a model provider.

10 articles

Articles about Vendor Risk

Atlanta Midtown Skyline Dusk
GRCMarket intelligence·

The 2026 AI Governance Talent Market: Assurance Skills Move to the Core

Australia's AI governance market is shifting from principle-setting towards assurance: control design, model testing, data lineage, third-party oversight and evidence a board or auditor can challenge. APRA has named the skills gap, no salary guide prices the role cleanly, and the scarce profile is the practitioner who can move from principle to proof.

Read article
The Hague Binnenhof Dusk
AI NewsPolicy·

A Government Now Vets Who Gets the Model. File It as a Vendor Risk.

For the second time in a month, a US government put a frontier model behind a gate. This time it was an access list: roughly 20 vetted organisations get GPT-5.6, chosen name by name. The capability story is covered. The one that lands on your desk is procurement: government-imposed access conditions are now a vendor-risk category your due diligence has to name.

Read article
Bendigo Rosalind Park Dusk
LeadershipLeading with AI·

A Deadline Is Not a Decision: Greenlighting AI Before the Free Window Closes

OpenAI's free window for ChatGPT's workspace agents closes today, right as the workspace-setup season begins. A vendor's deadline is a fact about the vendor, not a reason for you to decide. Here is the criteria a leader should actually greenlight on: real team need, switching cost, and governance readiness.

Read article
Barcelona Port Vell Blue Hour
AI NewsAI Agents·

You Are Now Buying Software for Agents, Not People

Gartner says $234 billion of enterprise SaaS spend is exposed to agentic arbitrage by 2030. Read as a vendor problem it is a headline. Read as a buyer it changes how you procure and govern the software you already run, so this piece turns the forecast into an API-parity test you can run this week, a five-clause contract checklist and a Monday workflow.

Read article
Los Angeles Downtown Dusk
AI NewsModel Release·

Claude Sonnet 5 Became the Default. That Is a Change Event.

Anthropic released Claude Sonnet 5 on 30 June and made it the default in Claude Code and on Claude.ai Free and Pro. Almost nobody chooses a model, so a frontier swap is a silent change to a system you may have already validated. Here is how to treat it as a change event: the prompts, the Monday workflow and the register entry.

Read article
Washington Dc Potomac Blue Hour
AI NewsPolicy·

Fable 5 Returns With a Jailbreak Severity Framework

Claude Fable 5 comes back globally on 1 July, three weeks after a US directive pulled it. The return matters less than what came with it: a safety patch that over-blocks routine coding, and a four-dimension jailbreak-severity framework the major labs are building together.

Read article
San Francisco Bay Skyline Dusk
AI NewsAnalysis·

Claude Fable 5: Frontier Capability, With Conditions Attached

Anthropic has put a Mythos-class model on general release, and the conditions matter as much as the capability. A silent classifier fallback, a mandatory 30-day retention policy and a 23 June billing switch all belong in your next third-party AI assessment.

Read article
Boston Back Bay Charles River Dusk
AI NewsAnalysis·

Microsoft's Seven MAI Models: The In-House Bet Under Copilot

Microsoft launched seven home-grown MAI models at Build 2026 and started swapping them into Copilot and the Microsoft 365 stack. For practitioners the story is procurement, not benchmarks: data lineage claims, weight tuning, and a billing change in the same week.

Read article
Zurich Limmat Old Town
GRCRegulatory analysis·

CPS 234 and AI Vendors: A Due Diligence Framework

CPS 234 has been in force since 2019. AI vendors stretch the framework in specific ways: training data exposure, model update opacity, and inference infrastructure that crosses the standard's information asset boundaries. A practical due diligence framework.

Read article
Oslo
GRCRegulatory analysis·

CPS 230 and AI: A Practical Operational Resilience Playbook

CPS 230 has been live since 1 July 2025. Nine months in, the practical question for boards and operational risk teams is no longer whether AI tools fall inside the standard. It is how to evidence it.

Read article