R48 — Third-Party Model Procurement DD Gap

Q: How do security teams mitigate Third-Party Model Procurement DD Gap?

In CISO Game, Third-Party Model Procurement DD Gap is reduced by Prevention (40%), Detection (20%), Awareness (20%) subscores. Real-world programs use the same control families, with category investments such as Third-Party Model Procurement DD Program.

Q: Why does Third-Party Model Procurement DD Gap matter to a CISO?

Severity 7 (Major). Third-party model procurement DD gap is the AI-specific TPRM failure: buying an AI feature without evaluating the underlying model's training-data lineage, capability boundaries, or vendor's security posture. The questionnaire categories are still maturing; expect rapid evolution over the next 18 months.

Stress-test Third-Party Model Procurement DD Gap in the AI startup scenario Series-B, AI-first, six new AI risks in your register.

Start playing →

R48 AI Severity 7 · Major Residual offset +10

Foundation models bought from vendors without DD on training-data provenance, security review, model-card transparency. EU AI Act provider/deployer distinction requires this.

What is Third-Party Model Procurement DD Gap?

Foundation models bought from vendors without DD on training-data provenance, security review, model-card transparency. EU AI Act provider/deployer distinction requires this. CISO Game tracks this as R48 in the live risk register, severity 7 (Major), category AI.

How does CISO Game model Third-Party Model Procurement DD Gap?

Exposure for R48 runs from 0 to 100, recomputed live as you buy, cancel, or reassign products. How the exposure model works →

Real-world parallel

Third-party model procurement DD gap is the AI-specific TPRM failure: buying an AI feature without evaluating the underlying model's training-data lineage, capability boundaries, or vendor's security posture. The questionnaire categories are still maturing; expect rapid evolution over the next 18 months.

How do security teams mitigate Third-Party Model Procurement DD Gap?

The dominant subscore levers for this risk are:

Prevention subscore — weight 40%
Detection subscore — weight 20%
Awareness subscore — weight 20%

Residual offset: +10 exposure points are structural — no product fully removes them. Real-world parallels: zero-day windows, vendor monoculture, regulator unpredictability.

Gated: only active when AI focus is enabled in Setup.

Which investments mitigate Third-Party Model Procurement DD Gap?

Products in CISO Game that reduce exposure to R48:

Third-Party Model Procurement DD ProgramAI Security

Which related risks should you also watch?

Risks with similar dominant subscores or shared category — addressing one often helps the others:

Why does Third-Party Model Procurement DD Gap matter to a CISO?

AI risk is the newest category in the register. Third-Party Model Procurement DD Gap requires controls that are still maturing — model cards, AI red-teaming, AI-SPM, prompt-injection detection. CISO Game's AI focus toggle activates these.

How can you test your mitigation strategy?

Click Play CISO Game free to see R48 appear live in your risk register and watch each purchase move the exposure number in real time. No signup required.

Stress-test Third-Party Model Procurement DD Gap in the AI startup scenario →