Risk
Unauthorized / Prohibited Component Usage
Description
Experiment involves the use of unauthorized or prohibited components
Example
Teams import unvetted or disallowed models, datasets, or libraries during experimentation, creating vulnerability, licence, or export-control risks.
Assets Affected
AI Policy
Model files
Dataset / RAG
Framework
3rd-party AI integration
Mitigation
- Generate AI SBOM/BOM at experiment start and on every change
- Enforce allow-/deny-lists in sandbox environments
- Use CI/CD gating for SCA and license scanning
Standards Mapping
- ISO 42001: A.6.2.2 , A.10.3
- NIST AI RMF: MAP 4.1, MANAGE 3.1
- DASF v2: MODEL 7.3, ALGORITHMS 5.4