Risk
Overlooked Embedded or Inherited AI Functionality
Description
Failing to identify AI capabilities embedded within larger, non-AI-explicit commercial off-the-shelf (COTS) software or managed services.
Example
A newly procured CRM system has an undocumented AI-powered predictive analytics feature that processes sensitive customer data.
Assets Affected
AI App
3rd-party AI integration
Mitigation
- Scrutinize documentation and conduct technical assessments of all software/services to identify embedded AI
- Include AI considerations in vendor procurement and assessment processes
Standards Mapping
- ISO 42001: A.10.3, A.4.2
- OWASP Top 10 for LLM: LLM03
- NIST AI RMF: MAP 2.1, GOVERN 6.1