AI third-party risk matrix
Most organisations have far more AI in their stack than they realise — the official API, the note-taker plugged into meetings, the AI feature buried inside a SaaS tool a team turned on last month. Each one is a third party that can see your data, and each is a potential leak path. This matrix turns that sprawl into a scored inventory so you can govern it deliberately instead of discovering it during an incident.
The shadow AI problem
The typical organisation’s AI inventory discovered by a proper audit is two to three times larger than what IT knows about. The gap lives in:
- Browser extensions with AI features that process page content or meetings
- SaaS products that have added AI capabilities to features already in use
- Free-tier tools adopted by individuals without procurement review
- Integrations and plugins inside approved software that route data to a separate AI provider
Each of these is a data pipeline to a third party, usually with retention terms nobody read and no signed data processing agreement. The matrix asks you to surface all of them before scoring starts.
How it works
You add each AI provider, API, or embedded feature and classify three things: the most sensitive data it can reach, how long it retains inputs, and whether you have a signed data processing agreement. The tool combines those into a risk score — sensitivity plus retention, with an extra penalty when personal data flows to a vendor with no DPA — and assigns each row a LOW, MEDIUM, or HIGH band. The portfolio summary surfaces your single highest exposure so you know where to start.
How the scoring works
The risk score has three components:
Data sensitivity — from public/internal data (lower) through confidential business data, to special-category personal data (highest). The higher the sensitivity, the more damage a breach or retention incident causes.
Retention behaviour — from zero or minimal retention (lower) through standard logs, to training-use retention (highest). A provider that trains on your data keeps it for years; a zero-retention mode limits exposure to the query window.
DPA penalty — when personal data flows to a vendor and no data processing agreement is in place, the score receives an additional penalty. Under GDPR, a DPA is a legal requirement for controllers using processors, not an optional formality.
The three components add to produce a score that determines the LOW/MEDIUM/HIGH band. A tool scoring HIGH is not necessarily one you must remove — it is one that requires action: a signed DPA, a retention configuration change, a data-minimisation measure, or a considered accept-the-risk decision with sign-off.
Tips and notes
- Hunt for shadow AI first. The riskiest tools are usually the ones nobody formally approved — browser extensions, free transcription apps, AI features toggled on inside existing software.
- Retention is the cheapest lever. Switching a provider to zero retention or opting out of training on your data often drops a row from HIGH to LOW with no loss of function.
- Re-score after every contract change. A renewed DPA or a provider policy update can move a tool between bands — keep the matrix current rather than treating it as a one-off audit.
- Accept-or-remediate decisions need sign-off. A HIGH row you decide to accept should carry a named owner and a review date, not just a note that you saw it.