42
AI Gov Mapper
ISO × NIST × EU
← All themes

Third Parties & Supply Chain across ISO 42001, NIST AI RMF and the EU AI Act

// theme · third-party

Third Parties & Supply Chain

Open in explorer →

Suppliers, providers, deployers, GPAI model providers.

// Do once → satisfies all three
ONE vendor / model-provider due-diligence questionnaire plus a captured Art.53 GPAI provider info pack for each upstream model.

Most teams integrate models rather than build them. One due-diligence pack covers ISO third-party control, NIST GOVERN 6, and EU value-chain duties.

ISO 42001
Annex A.10
NIST AI RMF
GOVERN 6.1 · MAP 4.1
EU AI Act
Art.25 · Art.53
// Evidence auditors expect
  • Vendor / model-provider due-diligence questionnaire
  • Contract clauses on documentation, incident notice, audit rights
  • GPAI provider info pack (Art.53) shared downstream
  • Inventory of foundation models and their licences
// Common pitfalls
  • Using a GPAI model without collecting the Art.53 provider info pack.
  • Vendor contract silent on incident notification timelines.
  • Assuming the upstream provider's compliance flows through automatically - it does not.
ISO 42001
3
Annex A.10 covers third-party and customer relationships.
Annex A.10.2
Allocating responsibilities
Allocate responsibilities for AI risk between the organisation and third parties.
Annex A.10.3
Suppliers
Manage AI risk arising from suppliers of data, models, tools and services.
Annex A.10.4
Customers
Manage AI risk arising from how customers use the AI systems the organisation provides.
NIST AI RMF
4
GOVERN 6 + MAP 4 cover supply-chain and third-party risk.
GOVERN 6.1
Third-party AI risk policies
Policies and procedures address AI risks from third-party software and data.
GOVERN 6.2
Contingencies for third-party failures
Plans in place for failures or incidents from third-party AI components.
MAP 4.1
Third-party risks mapped
Approaches for mapping AI risks from third-party entities are in place.
MAP 4.2
Internal risk controls documented
Internal risk controls for third-party AI are documented.
EU AI Act
2
Art.25 covers responsibility along the value chain; Art.53/55 set obligations on providers of general-purpose AI models.
Article 25
Responsibilities along the AI value chain
Distributors, importers, deployers may become providers under conditions.
Article 53
Obligations for providers of GPAI models
Technical docs, info to downstream providers, copyright policy, training data summary.
// What now?
Open
Open “Third Parties & Supply Chain” in the Explorer →
Continue
Continue to a related theme · Competence & AI Literacy