GASP: AICF

Search controls

Search by control ID, name or domain

AIG-033 AI Supply Chain Responsibility Allocation

Tier 2+AI

Description

Written agreements with third-party AI providers and downstream AI system integrators define: each party's responsibilities for compliance with applicable AI regulations, information exchange obligations (technical documentation, incident notification, model change notification), and what happens when the third party's AI system becomes high-risk due to the organisation's use or modification. For integrators who build on the organisation's AI systems, the agreement specifies obligations equivalent to those in EU AI Act Art. 25 and Art. 53 where relevant.

Rationale

AI supply chain responsibility is uniquely ambiguous: the same model can shift from non-high-risk to high-risk based on how a downstream party deploys it; contractual clarity is required to prevent responsibility gaps.

Framework Mappings (4)

EU AI Act 2024
EU-AI-Art.25.2Value Chain Responsibilities — Supply Chain Agreementsfull
EU-AI-Art.53.2GPAI Model Obligations — Downstream Provider Informationfull
ISO/IEC 42001:2023
A.10.2Allocating responsibilitiesfull
NIST AI RMF 1.0
MAP 4.2Internal AI Risk Controls Identificationpartial

Evidence (1)

contractmanual

Written agreements with third-party AI providers and downstream AI integrators defining each party's compliance responsibilities, information exchange obligations, and incident and model-change notification duties.

Example: AI Supply Chain Responsibility Addendum to Partner API Agreement (executed 2025-07-12): defines provider's obligation to notify of model changes affecting high-risk classification within 14 days, integrator's obligation to maintain deployer compliance obligations equivalent to EU AI Act Art. 25, and mutual incident notification SLA of 48 hours

Test: Request supply chain responsibility agreements for upstream AI providers and downstream integrators. Verify: (1) each party's compliance responsibilities are explicitly allocated, (2) model change and incident notification obligations are defined with timeframes, (3) downstream integrators building on the organisation's AI are bound to equivalent deployer obligations, (4) agreements are executed and current, (5) responsibility allocation covers the scenario where a downstream party's use case triggers a high-risk classification.

Questions (2)

boolean

Do your written agreements with third-party AI providers and downstream AI integrators explicitly allocate compliance responsibilities and define information exchange obligations?

AI supply chain responsibility is uniquely ambiguous: the same model can shift from non-high-risk to high-risk based on how a downstream party deploys it. Contractual clarity is required to prevent responsibility gaps under the EU AI Act.

multi

Which of the following are addressed in your AI supply chain agreements?

Each party's responsibilities for compliance with applicable AI regulationsTechnical documentation exchange obligationsIncident notification obligations with defined timeframesModel change notification obligations with defined timeframesObligations that apply when the downstream party's use triggers a high-risk classificationDownstream integrators bound to deployer obligations equivalent to EU AI Act Art. 25

All six provisions are expected for agreements covering high-risk AI systems. The obligation covering high-risk reclassification by downstream use is the provision most commonly absent from AI supply chain contracts and represents significant regulatory exposure.