Supply Chain Management, Transparency, and Accountability
CSA AI Controls Matrix v1.1 domain
Identify and govern upstream AI, data, software, and cloud dependencies.
What this domain means for procurement
Foundation models, datasets, components, tools, and infrastructure providers can change risk without a buyer changing products. Procurement needs current dependency disclosure and flow-down accountability.
How TrustAtlas dimensions support it
Dependency chain is the direct measure; transparency covers disclosure; business stability covers concentration and substitutes; IP exposure covers rights and provenance across suppliers.
This is an interpretive TrustAtlas cross-walk, not an official CSA mapping or evidence of AICM conformity.
Questions to ask vendors
Use these procurement prompts alongside the official CSA AICM v1.1 materials. They name the domain but do not invent or paraphrase control identifiers.
- Provide a current inventory of foundation models, datasets, software components, tools, and infrastructure providers used by the service.
- How are security, privacy, IP, and incident obligations flowed down to critical suppliers and verified?
- What notice do customers receive before a material model, subprocessor, data source, or hosting dependency changes?
- Which single-provider dependencies lack a tested substitute, and what is the continuity plan for each?
Related
- Back to all 18 CSA AICM v1.1 domains
- Official CSA AICM v1.1 artifact
- NIST AI RMF cross-walk
- TrustAtlas methodology — how the nine risk dimensions are scored