Third-party AI suppliers introduce significant risk through model updates, changes in training data, and modifications to system behavior. Contractual disclosure requirements ensure the acquiring organization can maintain active risk oversight despite not controlling the vendor's development processes.
Why B is Correct: The ISACA AAIR framework emphasizes that third-party AI contracts must protect against harms arising from undisclosed changes. When vendors make silent updates to models, the acquiring organization cannot assess new risks before they affect users, decisions, or regulated outcomes. Timely disclosure requirements enable proactive risk detection and mitigation before individuals are harmed.
Why A is Wrong: Availability guarantees are service-level concerns addressed by SLA provisions. While important operationally, they do not address the risk management imperative of understanding what changes have been made to AI models.
Why C is Wrong: Internal trust-building is a change management consideration, not the primary purpose of contractual disclosure requirements. Contracts address risk obligations, not organizational confidence.
Why D is Wrong: Vendor staff access to sensitive datasets is a data access and privacy concern addressed through data processing agreements and access controls, not model update disclosure requirements.
