Vendor Risk
AI vendor and third-party risk: due diligence, concentration risk, and the questions to ask before you trust a model provider.
10 articles
Articles about Vendor Risk

The 2026 AI Governance Talent Market: Assurance Skills Move to the Core
Australia's AI governance market is shifting from principle-setting towards assurance: control design, model testing, data lineage, third-party oversight and evidence a board or auditor can challenge. APRA has named the skills gap, no salary guide prices the role cleanly, and the scarce profile is the practitioner who can move from principle to proof.
Read article
A Government Now Vets Who Gets the Model. File It as a Vendor Risk.
For the second time in a month, a US government put a frontier model behind a gate. This time it was an access list: roughly 20 vetted organisations get GPT-5.6, chosen name by name. The capability story is covered. The one that lands on your desk is procurement: government-imposed access conditions are now a vendor-risk category your due diligence has to name.
Read article
A Deadline Is Not a Decision: Greenlighting AI Before the Free Window Closes
OpenAI's free window for ChatGPT's workspace agents closes today, right as the workspace-setup season begins. A vendor's deadline is a fact about the vendor, not a reason for you to decide. Here is the criteria a leader should actually greenlight on: real team need, switching cost, and governance readiness.
Read article
You Are Now Buying Software for Agents, Not People
Gartner says $234 billion of enterprise SaaS spend is exposed to agentic arbitrage by 2030. Read as a vendor problem it is a headline. Read as a buyer it changes how you procure and govern the software you already run, so this piece turns the forecast into an API-parity test you can run this week, a five-clause contract checklist and a Monday workflow.
Read article
Claude Sonnet 5 Became the Default. That Is a Change Event.
Anthropic released Claude Sonnet 5 on 30 June and made it the default in Claude Code and on Claude.ai Free and Pro. Almost nobody chooses a model, so a frontier swap is a silent change to a system you may have already validated. Here is how to treat it as a change event: the prompts, the Monday workflow and the register entry.
Read article
Fable 5 Returns With a Jailbreak Severity Framework
Claude Fable 5 comes back globally on 1 July, three weeks after a US directive pulled it. The return matters less than what came with it: a safety patch that over-blocks routine coding, and a four-dimension jailbreak-severity framework the major labs are building together.
Read article
Claude Fable 5: Frontier Capability, With Conditions Attached
Anthropic has put a Mythos-class model on general release, and the conditions matter as much as the capability. A silent classifier fallback, a mandatory 30-day retention policy and a 23 June billing switch all belong in your next third-party AI assessment.
Read article
Microsoft's Seven MAI Models: The In-House Bet Under Copilot
Microsoft launched seven home-grown MAI models at Build 2026 and started swapping them into Copilot and the Microsoft 365 stack. For practitioners the story is procurement, not benchmarks: data lineage claims, weight tuning, and a billing change in the same week.
Read article
CPS 234 and AI Vendors: A Due Diligence Framework
CPS 234 has been in force since 2019. AI vendors stretch the framework in specific ways: training data exposure, model update opacity, and inference infrastructure that crosses the standard's information asset boundaries. A practical due diligence framework.
Read article
CPS 230 and AI: A Practical Operational Resilience Playbook
CPS 230 has been live since 1 July 2025. Nine months in, the practical question for boards and operational risk teams is no longer whether AI tools fall inside the standard. It is how to evidence it.
Read article