SAIL

/

Build - AI Security Posture Management

/

Unvetted Use of Open-Source and Third-Party AI Components

3.10

.

Unvetted Use of Open-Source and Third-Party AI Components

sail
3.10
Risk

Unvetted Use of Open-Source and Third-Party AI Components

Description

Incorporation of external libraries, pre-trained models, or data without sufficient security, privacy, or compliance review, leading to inherited vulnerabilities or legal risk.

Example

Using a pre-trained model from a public repo that contains a backdoor or is licensed incompatibly.

Assets Affected

Model files

Framework

3rd-party AI integration

Dataset / RAG

Mitigation
  • Vet all third-party/open-source components before use
  • Maintain a Bill of Materials (SBOM)
  • Regularly monitor for vulnerabilities
  • Review licensing and compliance
  • Document all dependencies and their provenance
Standards Mapping
  • ISO 42001: A.10.3, A.6.2.3, A.4.3
  • OWASP Top 10 for LLM: LLM03
  • NIST AI RMF: GOVERN 6.1, MANAGE 3.1
  • DASF v2: MODEL 7.3, ALGORITHMS 5.4