Control 2.7: Vendor and Third-Party Risk Management
Control ID: 2.7
Pillar: Management
Regulatory Reference: GLBA Section 501(b), SOX Section 404, FINRA Rule 4511, FINRA Rule 3110, FINRA Regulatory Notice 25-07, SEC Rule 17a-4(f), OCC Bulletin 2011-12, OCC Bulletin 2013-29, Federal Reserve SR 11-7, Interagency Guidance on Third-Party Relationships (FRB/FDIC/OCC, June 2023), OWASP LLM Top 10 (2025)
Last UI Verified: April 2026
Governance Levels: Baseline / Recommended / Regulated
Objective
Establish a comprehensive framework for identifying, assessing, and managing risks associated with third-party vendors and connectors used by AI agents. Vendor risk management addresses the unique risks introduced by Power Platform connectors, custom APIs, external AI services, and dynamic tool loading.
Why This Matters for FSI
- Interagency Guidance on Third-Party Relationships (FRB/FDIC/OCC, June 2023): Establishes lifecycle expectations (planning, due diligence, contract negotiation, ongoing monitoring, termination) that supervised institutions are expected to apply to AI/connector vendors
- OCC Bulletin 2013-29 / Bulletin 2020-10 FAQs: Third-party risk management expectations for national banks, including risk-tiered due diligence and ongoing monitoring
- OCC Bulletin 2011-12 & Federal Reserve SR 11-7: Treat third-party AI/LLM providers as part of the model supply chain; vendor change can constitute a model change requiring re-validation
- GLBA Section 501(b) (16 CFR Part 314 Safeguards Rule): Requires service-provider oversight, written contracts, and periodic assessment for any vendor handling customer information
- SOX Section 404: Internal controls over financial reporting extend to vendor-provided services that influence reportable processes; SOC 1/SOC 2 reporting helps support attestation
- FINRA Rule 3110(a): Supervisory system must reasonably address risks introduced by third-party tools used in business communications and recordkeeping
- FINRA Rule 4511 / SEC Rule 17a-4(f): Books-and-records vendors (archiving, WORM) supporting AI-generated content must meet electronic recordkeeping requirements; recent amendments (effective May 2023) accept audit-trail alternatives but still require demonstrable immutability
- FINRA Regulatory Notice 25-07: Reinforces that AI-generated communications are subject to existing recordkeeping and supervision rules — vendor capability gaps become firm-level deficiencies
- OWASP LLM Top 10 (LLM03 Supply Chain, LLM05 Improper Output Handling, LLM07 Insecure Plugin Design): Identify supply-chain, plugin, and tool-loading risks unique to LLM-backed agents
No companion solution by design
Not all controls have a companion solution in FSI-AgentGov-Solutions; solution mapping is selective by design. This control is operated via native Microsoft admin surfaces and verified by the framework's assessment-engine collectors. See the Solutions Index for the catalog and coverage scope.
Control Description
AI agents frequently connect to external services, APIs, and data sources that may introduce security vulnerabilities, compliance gaps, or operational dependencies:
| Capability | Description | FSI Application |
|---|---|---|
| Connector Inventory | Catalog all third-party connectors | Regulatory examination readiness |
| Vendor Risk Assessment | Evaluate vendor security and compliance | Interagency Guidance requirements |
| Contract Management | Security clauses and SLAs | Contractual protections |
| Dynamic Tool Governance | Control runtime plugin loading | OWASP supply chain risk |
| Ongoing Monitoring | Continuous vendor oversight | Emerging risk detection |
Connector Risk Categories
| Category | Examples | Risk Level | Assessment Frequency |
|---|---|---|---|
| Microsoft First-Party | Dataverse, SharePoint, Teams | Low | Annual |
| Certified Third-Party | Salesforce, SAP, ServiceNow | Medium | Semi-annual |
| Independent Publisher | Community connectors | High | Quarterly |
| Custom Connectors | Organization-built APIs | Medium-High | Quarterly |
| External AI Services | OpenAI, third-party LLMs | High | Quarterly |
FSI-Specific Vendor Categories
Financial services organizations typically integrate with specialized vendors. Include these categories in your vendor risk assessment:
| Vendor Category | Example Vendors | Key Assessment Areas |
|---|---|---|
| Archiving/WORM Storage | Smarsh, Global Relay, Proofpoint Archive, Bloomberg Vault | SEC 17a-4 attestation, immutability certification, AI content support |
| Communication Compliance | Theta Lake, NICE Actimize, Behavox | AI interaction capture, FINRA 25-07 recordkeeping compliance, review workflow |
| Identity Verification | Jumio, Onfido, IDology | Synthetic identity detection, deepfake detection, KYC support |
| LLM/AI Providers | Azure OpenAI, Amazon Bedrock, Anthropic | Data residency, training data policy, SOC 2 certification |
| Copilot Plugins | Third-party M365 Copilot plugins | Data access scope, permission requirements, publisher verification |
| MCP Tool Providers | Custom MCP server implementations | API security, data handling, logging capabilities |
Anthropic Native Integration
Anthropic Claude models are now natively integrated in Copilot Studio as a first-party model provider option — organizations no longer need to build custom connectors to use Anthropic models. This changes the vendor risk profile: Anthropic model usage is governed through Microsoft's platform agreements rather than requiring a separate direct vendor relationship. Update vendor inventories and risk assessments accordingly.
With ChatGPT-5 and Claude models now generally available as native Copilot Studio model options, organizations should update their vendor risk inventories to classify these as production-tier third-party model providers requiring quarterly risk assessment.
MCP Clarification: Model Context Protocol (MCP) is an open protocol for tool integration, not a Microsoft-native capability. Organizations implementing MCP-based integrations must apply vendor risk management (Control 2.7) accordingly. Native Microsoft connectors do not use MCP—this guidance applies only to custom agent implementations.
Vendor Assessment Checklist for AI Integrations:
- Does the vendor support AI-generated content archiving per FINRA 25-07 recordkeeping requirements?
- Can the vendor distinguish AI-generated vs human-generated content in records?
- Does the vendor provide immutable storage (WORM) for AI interactions?
- What is the vendor's data residency and AI training policy?
- Does the vendor have SOC 2 Type II attestation covering AI services?
Key Configuration Points
- Maintain complete inventory of all third-party connectors with risk classifications
- Require SOC 2 Type II (or equivalent) for Zone 3 vendors
- Implement AI-specific contract clauses (model change notification, no training on customer data)
- Configure default-deny for runtime tool discovery and marketplace installations
- Map transitive data exposure for tool chains invoking multiple third parties
- Establish review cadence (monthly usage, quarterly performance, annual security)
- Document exit plans for critical vendor relationships
Zone-Specific Requirements
| Zone | Requirement | Rationale |
|---|---|---|
| Zone 1 (Personal) | Maintain a connector inventory (refreshed at least annually); rely on Microsoft and verified-publisher connectors only; standard contract terms acceptable; no custom or independent-publisher connectors without exception approval | Personal-productivity scope; limited blast radius but still subject to firm-wide DLP and recordkeeping obligations |
| Zone 2 (Team) | Formal vendor questionnaire on intake; SOC 2 Type II (or ISO 27001 + bridge letter) recommended for non-Microsoft vendors; quarterly usage and risk review; documented business owner per connector; AI-specific contract clauses for any LLM-backed integration | Shared agents extend data exposure across teams; FINRA 3110 supervisory expectations apply |
| Zone 3 (Enterprise) | Comprehensive risk-tiered due diligence aligned to Interagency 2023 Guidance; SOC 2 Type II required (SOC 1 where financially material); continuous monitoring (telemetry, security advisories, financial health); contractual audit rights; documented and tested exit/contingency plan; board- or committee-level reporting; transitive data-flow map maintained | Customer-facing or financially material; subject to OCC/Fed/SEC examination; vendor failure could constitute a recordkeeping or safeguards breach |
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| AI Governance Lead | Owns vendor risk policy, tiering criteria, and AI-specific assessment standards for agent integrations |
| Power Platform Admin | Maintains connector inventory, configures DLP/connector policies, restricts custom and independent-publisher connectors per zone |
| AI Administrator | Governs Copilot Studio model providers, plugins, and MCP integrations; coordinates with vendor risk on AI provider changes |
| Procurement / Vendor Management | Executes contract lifecycle, ensures SOC 2 / SOC 1 collection, manages renewals, exits, and subprocessor approvals |
| Security Team | Performs technical security review (SOC 2 analysis, penetration test review, incident response posture) and continuous monitoring |
| Compliance Officer | Confirms regulatory alignment (FINRA 3110/4511, SEC 17a-4, GLBA 501(b), Interagency 2023 Guidance); supports board/committee reporting |
| Model Risk Manager | Treats third-party LLM/AI providers as model supply-chain elements; coordinates with Control 2.6 on vendor-driven model changes |
Related Controls
| Control | Relationship |
|---|---|
| 1.4 - Advanced Connector Policies | Connector-level security and granular action controls |
| 1.5 - DLP Policies | Tenant-wide data protection that operationalizes vendor risk decisions |
| 2.1 - Managed Environments | Environment governance — required to enforce connector and plugin restrictions in Zone 2/3 |
| 2.6 - Model Risk Management | Vendor model changes are a model-risk trigger requiring re-validation |
| 2.17 - Multi-Agent Orchestration Limits | Agent-to-agent composition risks and transitive vendor exposure |
Implementation Playbooks
Step-by-Step Implementation
This control has detailed playbooks for implementation, automation, testing, and troubleshooting:
- Portal Walkthrough — Step-by-step portal configuration
- PowerShell Setup — Automation scripts
- Verification & Testing — Test cases and evidence collection
- Troubleshooting — Common issues and resolutions
Verification Criteria
Confirm control effectiveness by verifying:
- Connector inventory is current (refreshed at least quarterly for Zone 2/3) and includes publisher type, business owner, environments, data classes, and risk tier
- SOC 2 Type II (or accepted equivalent) on file and within validity window for every Zone 2/3 third-party vendor; gaps tracked with compensating controls and risk-acceptance dates
- Vendor contracts for AI/LLM providers include the AI-specific clauses (model change notice, no-training-on-customer-data, AI incident notification, audit rights, data residency)
- Power Platform DLP policies block independent-publisher and unapproved custom connectors in Zone 2/3 environments by default; exception register is maintained and reviewed
- Transitive data-flow maps exist for every Zone 3 multi-tool agent and identify downstream subprocessors, residency, and recordkeeping coverage
- Quarterly vendor risk report is delivered to the AI governance committee (and board/risk committee where required); evidence retained per FINRA 4511 / SEC 17a-4 retention schedules
- Documented exit/contingency plan exists for every Zone 3 critical vendor, with at least one tabletop test in the prior 12 months
Additional Resources
- Microsoft Learn: Connectors overview for Power Platform
- Microsoft Learn: Data Loss Prevention policies
- Microsoft Learn: Custom connectors overview
- Microsoft Learn: Manage plugins and connectors in Copilot Studio
- Microsoft Learn: Managed Environments overview
- Microsoft Learn: Microsoft 365 Copilot data, privacy, and security
- Microsoft Service Trust Portal (SOC reports, attestations)
- Interagency Guidance on Third-Party Relationships: Risk Management (2023)
- OCC Bulletin 2013-29: Third-Party Relationships
- OWASP Top 10 for LLM Applications (2025)
- OWASP Agentic AI Threats and Mitigations
Updated: April 2026 | Version: v1.4.0 | UI Verification Status: Current