Why map my AI supply chain?

Every AI tool your team uses can become a path for personal or confidential data to leave your control. Mapping them turns invisible shadow AI into a known inventory you can govern, which is the first step in any privacy or security programme.

How is the risk score calculated?

The score adds the sensitivity of the data a tool can access to its retention behaviour, then adds a penalty when a tool handles personal data without a signed DPA. Higher scores mean more exposure and land in the HIGH band, prompting action.

What makes retention a risk factor?

A provider that retains your inputs — especially one that uses them to train its models — keeps your data alive and reachable long after you sent it. Zero or short retention dramatically reduces the blast radius if that provider is breached.

What should I do about a HIGH-risk tool?

Get a signed DPA, switch off training on your data where the provider allows it, reduce the sensitivity of what you send through redaction, or replace the tool with a lower-risk alternative. The matrix tells you which tools deserve that effort first.

Does my data leave my browser?

No. The matrix is computed entirely locally in your browser. Nothing about your vendors or data is uploaded.

AI Third-Party Risk Matrix

AI third-party risk matrix

Most organisations have far more AI in their stack than they realise — the official API, the note-taker plugged into meetings, the AI feature buried inside a SaaS tool a team turned on last month. Each one is a third party that can see your data, and each is a potential leak path. This matrix turns that sprawl into a scored inventory so you can govern it deliberately instead of discovering it during an incident.

How it works

You add each AI provider, API, or embedded feature and classify three things: the most sensitive data it can reach, how long it retains inputs, and whether you have a signed data processing agreement. The tool combines those into a risk score — sensitivity plus retention, with an extra penalty when personal data flows to a vendor with no DPA — and assigns each row a LOW, MEDIUM, or HIGH band. The portfolio summary surfaces your single highest exposure so you know where to start.

Tips and notes

Hunt for shadow AI first. The riskiest tools are usually the ones nobody formally approved — browser extensions, free transcription apps, AI features toggled on inside existing software.
Retention is the cheapest lever. Switching a provider to zero retention or opting out of training on your data often drops a row from HIGH to LOW with no loss of function.
Re-score after every contract change. A renewed DPA or a provider policy update can move a tool between bands — keep the matrix current rather than treating it as a one-off audit.