Relevant Results
Sorry, there are no results matching your search.
Autocomplete suggestions are available. Use up and down arrows to review and enter to select.
See more results

Securing and Understanding the Risk of Third-Party AI Use

Oversight For AI Business As Usual

AI adoption has accelerated rapidly in recent years. What was once viewed as emerging technology is now a core component of enterprise operations, used to enhance productivity, streamline decision-making, and support faster service delivery. At the same time, most organizations have adopted these capabilities through third-party providers. As a result, whenever data is shared with a third party, there is now a strong likelihood that AI is being applied to it in some form.

This shift has made AI risk increasingly synonymous with third-party risk. While much of the industry’s focus on AI has emphasized internal governance, many of the tools and capabilities in use are externally sourced. The question is no longer whether a vendor uses AI, but how it’s being used — and what risks that introduces. Understanding and managing these risks has become a growing priority across third-party security and risk functions.

Clarifying the Categories of AI Risk

AI introduces a range of risks that build on, and in many cases go beyond, those associated with traditional security. In the context of third-party use, these risks generally fall into three categories but aren’t limited to: data privacy and security, ethical and bias-related risk, and operational risk.

Data privacy and security risks emerge when sensitive information shared with a third party is exposed to AI-driven processing without adequate safeguards. Information may be inferred, retained, or used in unexpected ways, and the underlying controls can be difficult to assess. In some cases, AI systems may contribute to data misuse or increase exposure in the event of a breach.

Ethical and bias-related risks arise when third-party AI systems generate unfair or opaque outcomes. If a vendor’s models produce biased recommendations or lack accountability mechanisms, the reputational consequences may extend to the organization using their services. These risks are particularly difficult to assess without transparency into how the models function and are governed.

Operational risks stem from the increasing reliance on AI to support business-critical processes. Even when sensitive data is not directly involved, a third party’s failure to manage its own AI systems can disrupt services and create cascading effects downstream and impacts to operational business decisions. If a key vendor’s AI tools malfunction, behave unpredictably, or rely on outdated training data, the consequences may extend well beyond that single provider.

These risks all become more difficult to evaluate and control when the AI systems are external. That’s why structured, scalable approaches to assessing third-party AI use are becoming essential.

Adapting the Third-Party Security and Risk Process

Organizations are evolving their third-party security and risk programs to reflect these shifting dynamics. Rather than treating AI as a simple yes-or-no consideration, they are developing more granular approaches — prioritizing based on how AI is being used, what business it supports, and the potential impact of failure.

During inherent risk assessment, many are moving away from binary scoping questions and instead evaluating how AI is embedded into the vendor’s offerings. A third party that develops or trains models may present different risks than one that uses pre-built AI to streamline internal operations — and the evaluation should reflect that distinction.

At the contracting stage, organizations are working to define acceptable uses of AI and to include specific obligations around transparency, governance, and data handling. Because the contract is often the most powerful mechanism for controlling inherent risk, clarifying these expectations up front is critical.

More broadly, governance expectations are expanding. It’s imperative that the governance body of any risk area is setting the standard and expectations of AI and how it should be evaluated and what the appetite thresholds are for the organization. Even where AI is not a primary feature of the relationship, organizations are beginning to assess whether vendors have baseline controls in place for managing AI responsibly. And for higher-risk use cases — particularly those involving sensitive data or decision-making — targeted technical reviews may be warranted. These reviews can be resource-intensive, so prioritization is key to ensuring their impact.

Strengthening Monitoring and Visibility

Ongoing monitoring plays a central role in improving third-party AI oversight. External visibility tools — including security ratings and AI usage discovery platforms — are helping organizations understand where AI is in use and how it’s evolving over time. This is especially useful when AI applications are not explicitly disclosed or were introduced after onboarding.

Continuous monitoring also supports a more proactive approach to risk management. By tracking changes in vendor behavior, organizations can identify shifts in AI usage, spot potential anomalies, and respond before those changes translate into downstream impact. This capability is becoming increasingly important as third-party ecosystems evolve and new AI applications emerge quickly.

Using AI to Improve Oversight

AI itself is also playing a growing role in securing third-party AI use. Organizations are beginning to leverage AI tools to identify patterns in vendor behavior, predict high-risk use cases, and automate elements of the evaluation process. These tools can reduce reliance on business stakeholders to flag issues manually — a task that often exceeds their technical expertise — and help ensure resources are directed where they will provide the most value.

Integrated into the broader third-party security lifecycle, these capabilities can support more accurate evaluations, simulate potential impacts, and align high-assurance activities with actual risk exposure. As organizations face growing pressure to manage a large and complex vendor landscape, this type of automation is becoming increasingly essential. Taken together, these practices reflect a broader shift toward more adaptive, intelligence-driven approaches to third-party security, where AI risk is addressed not as a novelty, but as a core component of modern risk management.

Meet our team

Image of Chetan Gavankar
Chetan Gavankar
Principal, Advisory, Cyber Security, KPMG US
Read bio
Image of Chetan Gavankar
Chetan Gavankar
Principal, Advisory, Cyber Security, KPMG US
Read bio

KPMG. Make the Difference.


Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. KPMG LLP does not provide legal services.

The information contained herein is not intended to be “written advice concerning one or more Federal tax matters” subject to the requirements of section 10.37(a)(2) of Treasury Department Circular 230.

© 2025 KPMG LLP, a Delaware limited liability partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

For more detail about the structure of the KPMG global organization please visit https://home.kpmg/governance.

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's . Privacy Statement

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Search now!

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Submit

Office locations

View locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Learn more

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.

Contact

Headline