Episode 60 — Embed vendor AI security requirements before procurement begins (Task 9)
This episode introduces Task 9 by showing how to embed vendor AI security requirements before procurement begins, because AAISM expects you to shape vendor risk outcomes early through clear requirements, evidence expectations, and contractual controls rather than trying to “fix” weak vendor posture after adoption. You’ll define what vendor requirements should cover for AI services: data handling and retention, logging and monitoring support, model update and change notification, access control options, incident reporting timelines, security testing evidence, and clarity on how prompts and outputs may be stored or used. We’ll use a scenario where the business wants to rapidly adopt a hosted model service, and you’ll practice identifying requirements that prevent later surprises, such as undocumented subcontractors, limited audit rights, or default retention settings that conflict with privacy obligations. Troubleshooting focuses on avoiding vague security questionnaires by demanding specific evidence and decision rights that align with governance and risk acceptance processes. Produced by BareMetalCyber.com, where you’ll find more cyber audio courses, books, and information to strengthen your educational path. Also, if you want to stay up to date with the latest news, visit DailyCyber.News for a newsletter you can use, and a daily podcast you can commute with.
