Supply Chain Management, Transparency, and Accountability

CSA AI Controls Matrix v1.1 domain

Identify and govern upstream AI, data, software, and cloud dependencies.

What this domain means for procurement

Foundation models, datasets, components, tools, and infrastructure providers can change risk without a buyer changing products. Procurement needs current dependency disclosure and flow-down accountability.

How TrustAtlas dimensions support it

Dependency chain is the direct measure; transparency covers disclosure; business stability covers concentration and substitutes; IP exposure covers rights and provenance across suppliers.

Dependency chainTransparencyBusiness stabilityIP exposure

This is an interpretive TrustAtlas cross-walk, not an official CSA mapping or evidence of AICM conformity.

Questions to ask vendors

Use these procurement prompts alongside the official CSA AICM v1.1 materials. They name the domain but do not invent or paraphrase control identifiers.

  1. Provide a current inventory of foundation models, datasets, software components, tools, and infrastructure providers used by the service.
  2. How are security, privacy, IP, and incident obligations flowed down to critical suppliers and verified?
  3. What notice do customers receive before a material model, subprocessor, data source, or hosting dependency changes?
  4. Which single-provider dependencies lack a tested substitute, and what is the continuity plan for each?
← Security Incident Management, E-Discovery, & Cloud Forensics Threat & Vulnerability Management →

Related