Legal & Third-Party

Implementation and audit guidance for managing legal risks and third-party relationships.

AIJET Principles: A = Awareness I = Integrity J = Judgment E = Ethics T = Transparency
Filter by principle:

Awareness Transparency
AI Threats: Confidentiality clauses must explicitly prohibit the use of client data in unauthorized AI model training or dataset construction.

Guidance to Implement

Incorporate explicit confidentiality clauses into all third-party contracts and monitor compliance.

Guidance to Audit

Signed contracts and NDA records.

Key Performance Indicator

X% of third-party contracts include mandatory confidentiality terms prohibiting AI model training with client data.

Integrity Transparency
AI Threats: Security requirements must mandate disclosure of all AI tools and models used by vendors that interact with client data.

Guidance to Implement

Integrate security clauses into supplier agreements and conduct periodic audits.

Guidance to Audit

Contract terms and security audit reports.

Key Performance Indicator

X% of third-party contracts include security clauses that mandate disclosure of AI tools used with client data.

Judgment Transparency
AI Threats: Contracts must require that third-party subcontractors apply identical AI data protection standards (AI usage flow-down).

Guidance to Implement

Require all third-party vendors to disclose subcontractors handling company data. Mandate contractual flow-down of AI data protection; logging; and disclosure requirements identical to the primary vendor. Include audit and termination clauses for non-compliance.

Guidance to Audit

Review vendor contracts for 4th-party obligations. Sample vendors annually to validate subcontractor disclosures and verify matching clauses.

Key Performance Indicator

X% of third-party contracts ensure that subcontractors apply identical AI data protection standards.

Awareness Ethics Judgment Transparency
AI Threats: Annual training evidence must include AI-related data handling practices; bias mitigation; and responsible AI tool usage awareness.

Guidance to Implement

Include in contracts a requirement for annual AI security training; covering data leakage via LLMs; responsible use; and bias awareness. Vendors must submit proof of completion and content summaries.

Guidance to Audit

Request anonymized completion data + training content outline. Verify training content includes AI-specific elements (e.g.; prompt injection; misuse; shadow training).

Key Performance Indicator

X% of third-party vendors provide annual evidence of AI-related training and awareness for their employees.

Integrity Transparency
AI Threats: Addresses OWASP LLM03:2025 by reducing the risk of supply chain compromise via untrusted AI tools.

Guidance to Implement

Add AI-specific disclosure clauses in supplier contracts and audit third-party AI tool usage annually.

Guidance to Audit

Maintain copies of contracts; audit reports; and vendor AI risk certifications.

Key Performance Indicator

X% of vendor contracts disclose AI risks and risk mitigation policies for AI tools used in services.

Integrity Judgment Transparency
AI Threats: Limits exposure to unpatched or malicious third-party models/services and provides legal leverage for rapid remediation.

Guidance to Implement

Use a standard AI-security rider with minimum SLA and provenance requirements. Mandate timely patching and disclosure of model vulnerabilities. Require right-to-audit and termination rights on security grounds.

Guidance to Audit

Inspect vendor contracts for presence of AI-security rider and patch SLA. Review vendor security attestations and third-party audit reports annually. Track patch SLA compliance metrics in vendor-management system.

Key Performance Indicator

X% of third-party AI service contracts include AI security clauses; patch deadlines; vulnerability disclosure; and provenance guarantees.

Judgment Transparency
AI Threats: Exposes hidden privacy threats in third-party models.

Guidance to Implement

RFP checklist; block onboarding if absent.

Guidance to Audit

Audit vendor PIA vs. risk matrix during annual review.

Key Performance Indicator

X% of high-risk AI vendors provide a Privacy Impact Assessment (PIA) before onboarding.