Getting Started with AI Vendor Management
Introduction
If you just read my previous blog post, which reflects on the urgency of AI governance and the pitfalls of not starting with vendor management, then you came to the right next post. This blog post dives deeper into the practical steps of establishing a vendor management program for AI Governance, focusing on how to build it without using sophisticated tools.
1. The Foundation of Vendor Management: Understanding Your Vendor Landscape
Most posts will tell you to start by mapping out your organization’s vendor landscape. I'm not. As I expressed to your before, your employees aren't waiting to adopt AI in tools they are using, so all your prep time is making your business more valuable. Instead, pick the top 5-10 tools your company uses (that you know they use) and create a spreadsheet. Classify these vendors as your high risk, critical or whatever metric you want to use to indicate the level of importance.
2. Assessing and Categorizing Vendor Risk
Okay, I know I said we need to get going, but I have to take a step back and explain categorizing vendors. Catgorizing risk levels is not easy, which is why I told you to start with your top 5-10. The top 5-10 should be the vendors that are used by a lot of people in your organization. Take Jira as an example. Jira is often a developers tool, but because of its project management features, a lot of operations teams have adopted it and conformed it to their use case. I am often asked to use Jira in my capacity as an attorney to track contract review! So it can be a very widespread tool with a ton of data in it. That means it fits the 1. high usage, 2. ease of use, 3. unstructured data capture, 4. information will range from confidential proprietary code to customer data. That's high risk. Not all vendors pose the same level of risk, but I encourage the use of at least 3 categories with the logic I just used.
Risk Categories:
- Low Risk: Vendors with little to no access to confidential data (e.g., office supplies).
- Medium Risk: Vendors with access to confidential information but not critical data (e.g., marketing tools).
- High Risk: Vendors with access to sensitive data or systems that could impact business operations or compliance (e.g., cloud providers, AI development platforms).
3. Back to Those 5-10 Vendors
Create a spreadsheet in Sheets or Excel and label the columns as such, vendor, risk category (they should all be high), type of confidential data, GenAI features?, internal teams, link to terms of service, link to privacy policy, ResponsibleAI disclosure, cost, use and pass?. It does not have to be in that order, but those are the critical columns.
Hopefully the columns are self explanatory, but for the internal teams one, you need to identify which teas are using it. In my Jira example above, some teams may be using it for a higher level of confidential data than others.
4. Approving an Already Approved Vendor
What happens if you review a vendor's terms of service and notice that they are training a model on your data? It's tricky because you have not even picked your AI governance framework or process yet! So how can you approve them? The simple answer is you can't. At this point, you are taking action with your AI governance role but you are also developing your program. Sneaky, eh? Yes, you cannot build an AI Governance program sitting at your desk and reading articles on the internet like this one. By having all this data about your existing vendors you are learning how your company is adopting AI, which has a significant influence on the program you want to launch as well as the data supporting your position to management.
Conclusion: Start Small, Think Big
Building a vendor management program without tools might seem daunting, but starting small with basic steps can make a big difference. Don't make yourself crazy, you multiple hat wearer with too much to do. Start with what you already have. It will inform your program but it will also let you get started on day 1 of your new role.