ISO 42001: 2023 - A.10.3 Supplier Requirements for AI Systems

ISO 42001 Control Description

The organisation shall establish requirements for suppliers involved in the development, provision, or operation of AI systems or their components, and shall ensure that these requirements are communicated to suppliers, reflected in contractual arrangements, and verified through appropriate oversight and assurance activities.

Control Objective

To ensure that suppliers involved in the AI system lifecycle operate in accordance with the organisation's responsible AI standards and applicable obligations, that AI-specific risks arising from supplier relationships are identified and managed, and that the organisation can maintain accountability for AI system governance even where significant activities are performed by external parties.

Purpose

Organisations that develop or use AI systems frequently rely on suppliers for elements that are integral to the system's behaviour and governance. Training data, pre-trained models, development tools, cloud infrastructure, and operational services are among the many components that may be sourced externally. The governance implications of this dependence are significant: the quality, integrity, and ethical character of an AI system are not determined solely by the actions of the organisation deploying it, but are also shaped materially by the practices of its suppliers.

Without explicit requirements and oversight arrangements for suppliers, the organisation may find itself unable to assure the responsible governance of systems it cannot fully observe or control. Suppliers operating to lower standards of data governance, fairness, transparency, or security may introduce risks that are difficult to detect until they manifest in the system's operational behaviour or, more significantly, in adverse impacts on individuals. The regulatory and reputational consequences of such failures may fall substantially on the organisation, even where the proximate cause lies with a supplier.

This control recognises that the governance of supplier relationships is not a peripheral concern for AI management but is central to the organisation's ability to fulfil its responsibilities to affected individuals, to regulators, and to its own stakeholders. Effective supplier governance requires the organisation to set clear expectations, verify their fulfilment, and maintain accountability throughout the supply chain.

Guidance on Implementation

Identifying Suppliers with AI System Relevance

The organisation shall maintain a register of suppliers whose activities are relevant to the development, provision, operation, or performance of its AI systems. The register shall identify the nature and scope of each supplier's involvement, the AI systems affected by each supplier relationship, and the aspects of AI governance for which the supplier's activities are consequential.

Suppliers shall be assessed for relevance to AI governance at the point of onboarding and the register shall be maintained and updated as supplier relationships change. The level of governance attention applied to each supplier shall be proportionate to the significance of their role in the AI system and the risks that their activities introduce.

Defining Supplier Requirements

The organisation shall define the requirements applicable to suppliers whose activities affect the governance of its AI systems. Requirements shall address, as relevant to the nature of the supplier's involvement: data quality, provenance, and governance obligations for data suppliers; model performance, bias assessment, and documentation obligations for model or component providers; security and operational standards for infrastructure and platform providers; compliance with applicable legal requirements, including data protection legislation; and incident notification obligations.

Requirements shall be grounded in the organisation's own responsible AI standards, the results of risk assessments applicable to the supplier relationship, and any regulatory or contractual obligations that flow through the supply chain. Supplier requirements shall be documented clearly and in sufficient detail to enable the supplier to understand what is expected and to demonstrate compliance.

Contractual Embedding of Supplier Requirements

AI-relevant requirements shall be reflected in contractual arrangements with applicable suppliers. Contracts shall address the specific obligations of the supplier relating to AI system governance, including any requirements for documentation, assessment activities, incident reporting, and access for audit or assurance purposes. Contracts shall also address the consequences of non-compliance and the mechanisms available to the organisation where a supplier fails to meet its obligations.

The organisation shall ensure that AI-specific requirements are incorporated into contract templates and standard terms where relevant, and that contracts are reviewed and updated to address AI governance requirements when renewing existing arrangements or entering into new supplier relationships.

Supplier Assurance and Oversight

The organisation shall establish a process for assuring that suppliers are meeting their AI-related obligations on an ongoing basis. Assurance activities shall be proportionate to the risk profile of the supplier relationship and may include review of supplier-provided documentation and certifications; assessment of supplier practices against defined requirements; audit activities, where contractually provided for; and periodic review of supplier performance, including analysis of incidents or issues arising from supplier activities.

Where assurance activities identify deficiencies in supplier compliance, the organisation shall take appropriate action, including requiring the supplier to implement corrective measures, escalating the matter through governance channels, and assessing whether the supplier relationship should be continued.

Managing Changes to Supplier Arrangements

The organisation shall assess the AI governance implications of material changes to supplier arrangements, including changes to the services or components provided, changes to the supplier's processing activities, and changes to the supplier's own subcontractor relationships. Material changes shall be assessed for their impact on the AI system's governance and risk profile before being implemented, and any additional requirements or controls identified through this assessment shall be addressed.

Supply Chain Transparency

The organisation shall seek to understand and document the key elements of its AI system supply chain, including significant subcontractors and dependencies that may affect the system's behaviour or governance. Where supply chain complexity creates material opacity, the organisation shall take steps to improve its understanding of upstream practices and to ensure that its own governance requirements flow appropriately through the supply chain.

Related Controls

• A.10.2 – Allocating Responsibilities for AI Systems: Supplier requirements established under this control shall be consistent with the responsibility allocations documented under A.10.2, ensuring that contractual obligations reflect the agreed governance structure.
• A.4.3 – Data Resources for AI Systems: Where suppliers provide data used in AI system development or operation, data-specific requirements shall be addressed in supplier governance arrangements.
• A.6.2.3 – Data for Development and Testing of AI Systems: Requirements relating to the quality and provenance of training data supplied by third parties shall be addressed as part of supplier governance.
• A.8.2 – AI System Incident Management: Supplier contracts shall include obligations for incident notification and cooperation that enable the organisation to fulfil its incident management responsibilities.

• A.8.5 – AI System Decommissioning: Supplier governance shall address the arrangements applicable at end-of-life, including the handling of data and model artefacts held by suppliers upon decommissioning.