本文目前仅提供英文版本。
AI Supply Chain Due Diligence: Governing AI You Did Not Build
Most organisations using AI did not build their AI systems. They procured them from vendors, integrated them from cloud platforms, or embedded them from third-party APIs. The AI supply chain creates layered governance obligations — and APRA, the EU AI Act, and the Five Eyes guidance all now expect organisations to govern AI across their entire supply chain, not just within their own walls.
Key Takeaways
This article provides practical governance guidance verified against primary regulatory sources.
All facts and regulatory references have been verified as of May 2026.
"仅供参考。本文不构成法律、监管、财务或专业建议。如需具体指导,请咨询合格专家。"
AI supply chain due diligence is the process of identifying, assessing, and managing the governance risks created by AI systems that an organisation uses but did not develop. In 2026, the vast majority of enterprise AI comes from external sources: cloud AI services (AWS Bedrock, Azure OpenAI, Google Vertex AI), embedded AI features in SaaS platforms (Salesforce Einstein, ServiceNow Now Assist), third-party AI APIs (OpenAI, Anthropic, Cohere), and vendor AI products deployed on-premise. APRA's 30 April 2026 industry letter specifically flagged AI supply chain risks — observing heavy vendor concentration, inadequate contingency planning, and contractual arrangements that lacked provisions for audit rights, model update notifications, and incident reporting. The EU AI Act imposes obligations on deployers that extend to their AI providers. The Five Eyes agentic AI guidance addresses privilege and accountability risks when AI agents operate across organisational boundaries. Governing AI you did not build is now a regulatory expectation, not a best practice.
Mapping your AI supply chain
Most organisations do not have a complete picture of their AI supply chain. The first governance step is mapping it. Identify every AI system in use — including those embedded in SaaS platforms that employees may not think of as "AI." For each AI system, document: the provider and their subcontractors (fourth parties), what data flows to the provider and where it is processed, what decisions the AI influences or makes, the contractual terms governing the relationship, and the provider's own governance maturity. APRA observed that many entities were heavily dependent on a single AI provider for multiple critical use cases — creating concentration risk that was not visible at the board level.
Assessing third-party AI governance
Due diligence on AI providers should go beyond standard vendor security assessments. Evaluate: does the provider have a documented AI governance framework (ISO 42001 certification, SOC 2 with AI controls, or equivalent)? Can they demonstrate bias testing and fairness monitoring for their AI systems? Do they provide transparency about model training data, architecture, and known limitations? What are their incident notification commitments for AI-specific failures? Do contractual terms allow for your audit of their AI systems? What are the exit provisions — can you migrate data and operations if you need to switch providers?
Ongoing monitoring
AI supply chain governance is not a one-time assessment. Providers update their models, change their data processing practices, and alter their terms of service on an ongoing basis. Implement continuous monitoring through contractual notification requirements (the provider must inform you of material changes to their AI systems), periodic reassessment (annual at minimum for high-risk AI providers), performance tracking (monitor the accuracy, fairness, and reliability of third-party AI outputs), and incident response coordination (clear escalation paths when third-party AI failures affect your operations).
Primary sources: APRA Letter to Industry on AI, 30 April 2026 | Five Eyes Agentic AI Guidance, 1 May 2026