Risk
Unidentified Third-Party AI Integrations
Description
Existing integrations with external AI services, libraries, or data sources are not discovered or documented, meaning their associated risks are unassessed.
Example
A legacy application is found to be using an old, unmaintained third-party AI library for a minor feature, which has known vulnerabilities.
Assets Affected
3rd-party AI integration
AI App
Pipeline Job
Mitigation
- Perform thorough code and configuration reviews to identify all external dependencies
- Implement Software Composition Analysis (SCA) tools
- Review vendor contracts and service agreements
- Document all third-party resources
Standards Mapping
- ISO 42001: A.10.3, A.4.2
- OWASP Top 10 for LLM: LLM03
- NIST AI RMF: GOVERN 6.1, MAP 4.1
- DASF v2: MODEL 7.3