What Is Fourth-Party Risk?
Fourth-Party Risk is the risk arising from a supplier's own suppliers — the subcontractors and upstream providers behind a direct vendor that can disrupt a service despite having no direct relationship with the organisation.
Fourth-Party Risk — the risk arising from a supplier's own suppliers — the subcontractors and upstream providers behind a direct vendor that can disrupt a service despite having no direct relationship with the organisation.
If your AI vendor depends on a particular cloud host or foundation-model provider, that dependency is your fourth party — and a failure there can reach you even though you never signed a contract with them. APRA's April 2026 letter specifically asked regulated entities to look beyond their direct suppliers and map these deeper chains. It is the supply-chain companion to concentration risk.
Source: APRA CPS 230; supply-chain risk-management practice
Plain-language explanation
If your AI vendor depends on a particular cloud host or foundation-model provider, that dependency is your fourth party — and a failure there can reach you even though you never signed a contract with them. APRA's April 2026 letter specifically asked regulated entities to look beyond their direct suppliers and map these deeper chains. It is the supply-chain companion to concentration risk.
Related terms
See where you stand on AI governance
Take the free 7-question maturity assessment and get a personalised action plan.
Free assessment — 3 minutes →