10.3 Suppliers

The organisation shall establish a process to ensure that its usage of services, products or materials provided by suppliers aligns with the organisation’s approach to the responsible development and use of AI systems. This control is essential for maintaining governance and ensuring that AI systems are managed responsibly. It should be applied consistently across all relevant organisational processes and reviewed periodically to remain effective.

Business Requirement The purpose of this control is to safeguard organisational integrity, compliance with legal and regulatory requirements, and to promote trustworthiness in AI systems. It ensures that risks are mitigated and that the organisation’s objectives for responsible AI use are achieved.

Organisations developing or using an AI system can utilise suppliers in a number of ways, from sourcing datasets, machine learning algorithms or models, or other components of a system such as software libraries, to an entire AI system itself for use on its own or as part of another product (e.g. a vehicle). Organisations should consider different types of suppliers, what they supply, and the varying level of risk this can pose to the system and organisation as a whole in determining the selection of suppliers, the requirements placed on those suppliers, and the levels of ongoing monitoring and evaluation needed for the suppliers. Organisations should document how the AI system and AI system components are integrated into AI systems developed or used by the organisation. Where the organisation considers that the AI system or AI system components from a supplier do not perform as intended or can result in impacts to individuals or groups of individuals, or both, and societies that are not aligned with the responsible approach to AI systems taken by the organisation, the organisation should require the supplier to take corrective actions. The organisation can decide to work with the supplier to achieve this objective. The organisation should ensure that the supplier of an AI system delivers appropriate and adequate documentation related to the AI system (see B.6.2.7 and B.8.2). Organisations should implement this control by establishing clear procedures, assigning responsibilities, and maintaining accurate documentation. Practical steps include integrating this control into existing governance frameworks, training relevant personnel, and monitoring compliance through regular audits.