Are you staying on top of vendors processing your data with AI?
A free 4-step guide to getting the answers you need to protect your sensitive information.
99% the time, it’s not clear how your data is processed with AI.
Even as software supply chains become increasingly complex, standards regarding AI use with customer data are not firmly established.
While there is nothing inherently wrong with a company processing or even training on your data with AI (and it might even help you), it’s important to know if and how they do it.
That’s why I put together this set of questions for evaluating AI use in your supply chain.1 Because this will require a response from a counterparty, it’s likely to be most effective with vendors. But feel free to deploy it in other situations as appropriate!
1. Do you process data we provide using artificial intelligence (AI), either directly or through another organization?
If NO:
Are you sure?
If so, then request:
Confirm you will inform us within 10 days of your intent to begin processing our data with AI.
Stop here, but monitor for future signs of AI use.
If YES, list all:
3rd (and greater) parties processing our data using AI.
Models and processes you use on our data, classifying them as either predictive or generative AI.
And proceed to step 2.
2. For both your organization and all 3rd (and greater) parties, list all types of our data:
Processed using AI, whether directly by your organization or a 3rd (and greater) party.
Name all entities (at least types, e.g. employee, customer, or partner) which have access to these AI models or data processed by them.
Provide the text of all confidentiality and intellectual property assignment agreements with these entities.
Used to train AI models.
Explain whether training is opt-in, opt-out, or mandatory as well as the potential consequences of you not training our data with AI.
Describe the provision(s) of our contractual agreement authorizing this AI training.
Describe who owns the resulting models and why, based on the relevant provision(s) of our contractual agreement.
Describe the anonymization techniques applied to our data prior to training, if any. Classify them as one or a combination of:
Manual (if so, describe the process)
Rules-based (if so, provide the rules)
AI-driven (if so, answer all of the same questions for the relevant model(s))
Exposed to retrieval-augmented generation (RAG) or equivalent processes.
3. How do you address non-conformance with the above, specifically:
What is your procedure and timeline for informing us if unintended training occurs?
Confirm you will inform us within 10 days of any changes to the above information.
4. How do you provide the above information?
The relative transparency of the vendor when it comes to AI processing should inform your level of confidence when it comes to them handling your data. I propose the below rough guidelines for evaluating their response to your inquiries:
Terrible
“We don’t provide this information. But our marketing blog talks a lot about AI!”
Okay
“Open a support ticket or send a security questionnaire.”
While better than nothing, you should be somewhat concerned if you need to pull this information or it doesn’t represent a contractual commitment.
Good
“It’s on our AI trust center and our contractual terms explicitly bind us to following what it says.”
Atlassian offers a solid example of both the trust center and terms of service.
Amazing
“We make this available publicly via the CycloneDX SBOM Standard. And we commit to this contractually.”
Machine readability is the name of the game here. CycloneDX makes processing and analyzing this type of data far easier. StackAware makes its SBOM available for this reason.
Making sense of vendor AI use
Getting this type of detail about your supply chain can take a huge amount of time and effort.
And knowing what to do with the information is even more challenging.
That’s why StackAware’s risk assessment offering includes a full evaluation of your vendors’ AI use.
Relevant LinkedIn posts