There's a risk hiding in plain sight for most enterprises: the AI they didn't build themselves.
Every vendor tool with an AI feature, every third-party model integrated into a workflow, every SaaS platform that quietly upgraded its engine, all of it carries risk that most AI governance teams are struggling to assess. And according to new Credo AI research, the industry knows it.
40.7% of senior leaders surveyed identify assessing and managing risks from third-party AI systems and vendors as their single biggest governance challenge. It outranks regulatory compliance, manual workflows, and even centralized visibility, making it the hardest AI governance problem enterprises face today.
Why Third-Party Risk Is So Hard to Manage
First-party AI, models your team builds, tests, and deploys, is hard enough to govern. But third-party AI introduces a fundamental asymmetry: you bear the risk, but you don't control the system.
You can't audit a vendor's training data. You often can't explain why their model made a particular decision. You may not even know when they've updated their underlying model. Yet if their AI causes harm in your context like biased hiring decisions, flawed financial recommendations, a privacy violation, the liability lands with you.
This challenge compounds as AI scales. Our research shows that challenges managing third-party AI risk increase steadily as adoption broadens. For organizations deploying AI in multiple departments, third-party risk spikes to become the most frequently cited challenge. The more AI you use, the more third-party exposure you carry and the harder it becomes to track it all.
The AI Visibility Problem
At the core of this challenge is a visibility gap. Most AI governance teams can't maintain a complete, accurate inventory of every AI system their organization uses. Shadow AI, which is unsanctioned tools adopted by individual teams, makes this even harder. 65% of respondents rate shadow AI discovery as a critical governance capability, precisely because they know unseen tools represent unseen risk.
As one CTO put it in the survey: "We feel like it's the 'Wild West' with data going into AI tools."
What Good Looks Like
The organizations making headway on third-party AI risk are building structured vendor intake processes, standardizing risk assessments for AI procurement, and establishing ongoing monitoring that replaces point-in-time reviews. It requires treating external AI with the same rigor as internally built systems.
Most organizations aren't there yet. But the ones that are will be far better positioned when regulators and customers start demanding answers.
Third-party AI risk is just one of the AI governance challenges examined in depth in The State of AI Governance report. Download it to see the full findings from 371 senior leaders.
DISCLAIMER. The information we provide here is for informational purposes only and is not intended in any way to represent legal advice or a legal opinion that you can rely on. It is your sole responsibility to consult an attorney to resolve any legal issues related to this information.
