AI Governance Library

Generative AI Vendor Risk Assessment Guide

Published by FS-ISAC in February 2024, this guide offers a customizable framework for evaluating the risks of generative AI vendors. It supports financial institutions in assessing GenAI products and services as part of broader third-party risk management programs.
Jakub Szarmach
2 min read
Generative AI Vendor Risk Assessment Guide
Generative AI Vendor Risk Assessment Guide
Generative AI Vendor Risk Assessment Guide.jpg
50 KB
download-circle

What’s Covered?

The guide introduces a structured methodology for evaluating generative AI vendors by combining high-level risk analysis with customizable questionnaires. It is designed to fit various organizational needs—from those with mature due diligence programs to those just starting out. The model divides the assessment into five domains: use case, business integration, data sensitivity, business resiliency, and exposure risk. Based on the outcome, organizations are guided to one of three due diligence levels. The internal stakeholder questionnaire (optional) and the dynamic vendor questionnaire are both customizable, allowing flexibility depending on risk tolerance. The vendor questionnaire covers: general discovery, data privacy and deletion, model lifecycle management, information security, technology integration, nth party usage, and legal/compliance. The guide incorporates best practices and references frameworks like NIST AI RMF, FFIEC IT Handbook, and 2023 Interagency Guidance on Third-Party Relationships. Rather than offering a fixed scoring system, it encourages financial institutions to apply their own internal rating models and update assessments regularly.

Contents of the document:

• Overview

• Where to Begin

• Assessment Model

• Preparing to Send the Questionnaires

• The Final Report and Archiving

• Contributors

• References and Resources

Why It Matters?

As GenAI systems are integrated into financial services, this guide helps institutions maintain control over compliance, privacy, and security risks. By offering modular tools and industry-aligned questionnaires, it makes GenAI due diligence more practical and adaptable—especially for sensitive or regulated environments.

What’s Missing?

The guide doesn’t offer a clear way to assign risk ratings based on questionnaire outcomes, requiring organizations to rely on their own models. Its focus is largely sector-specific, with limited applicability outside financial services. Broader ethical, social, or human rights considerations are also not covered.

Best For:

Best suited for financial sector risk officers, procurement teams, compliance professionals, and internal audit functions looking to introduce or strengthen generative AI vendor evaluation as part of their TPRM programs.

Source Details:

Generative AI Vendor Risk Assessment Guide. FS-ISAC, February 2024.

Group Chair: Benjamin Dynkin (Wells Fargo), Vice Chair: Hiranmayi Palanki (American Express)

Contributors include experts from Ally Financial, CME Group, Goldman Sachs, Mastercard, Bank of Hope, Principal Financial, and more.

https://www.fsisac.com

Guide FS-ISAC
About the author
Jakub Szarmach

Jakub Szarmach

Read next

European Union Artificial Intelligence Act: a guide

AI Privacy Risks & Mitigations – Large Language Models

Incident Notification and Information Sharing Requirements: EU Digital Laws

AI Vendor Security and Safety Assessment Guide

A Taxonomy of Trustworthiness for Artificial Intelligence

AI Governance Library

Curated Library of AI Governance Resources

AI Governance Library

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to AI Governance Library.

Your link has expired.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.