SAIL

/

Code/ No Code - AI Asset Discovery

/

Unidentified Third-Party AI Integrations

2.3

.

Unidentified Third-Party AI Integrations

sail
2.3
Risk

Unidentified Third-Party AI Integrations

Description

Existing integrations with external AI services, libraries, or data sources are not discovered or documented, meaning their associated risks are unassessed.

Example

A legacy application is found to be using an old, unmaintained third-party AI library for a minor feature, which has known vulnerabilities.

Assets Affected

3rd-party AI integration

AI App

Pipeline Job

Mitigation
  • Perform thorough code and configuration reviews to identify all external dependencies
  • Implement Software Composition Analysis (SCA) tools
  • Review vendor contracts and service agreements
  • Document all third-party resources
Standards Mapping
  • ISO 42001: A.10.3, A.4.2
  • OWASP Top 10 for LLM: LLM03
  • NIST AI RMF: GOVERN 6.1, MAP 4.1
  • DASF v2: MODEL 7.3