3.10
.
Unvetted Use of Open-Source and Third-Party AI Components
sail
3.10
Risk
Unvetted Use of Open-Source and Third-Party AI Components
Description
Incorporation of external libraries, pre-trained models, or data without sufficient security, privacy, or compliance review, leading to inherited vulnerabilities or legal risk.
Example
Using a pre-trained model from a public repo that contains a backdoor or is licensed incompatibly.
Assets Affected
Model files
Framework
3rd-party AI integration
Dataset / RAG
Mitigation
- Vet all third-party/open-source components before use
- Maintain a Bill of Materials (SBOM)
- Regularly monitor for vulnerabilities
- Review licensing and compliance
- Document all dependencies and their provenance
Standards Mapping
- ISO 42001: A.10.3, A.6.2.3, A.4.3
- OWASP Top 10 for LLM: LLM03
- NIST AI RMF: GOVERN 6.1, MANAGE 3.1
- DASF v2: MODEL 7.3, ALGORITHMS 5.4