Skip to content

Control 2.7: Vendor and Third-Party Risk Management

Overview

Control ID: 2.7 Control Name: Vendor and Third-Party Risk Management Regulatory Reference: GLBA 501(b), SOX 404, FINRA 4511, OCC 2011-12, Fed SR 11-7, Interagency Third-Party Guidance (2023) Setup Time: 1-2 hours

Purpose

Establish a comprehensive framework for identifying, assessing, and managing risks associated with third-party vendors and connectors used by AI agents in the Power Platform environment. Vendor risk management is critical for financial services organizations because AI agents frequently connect to external services, APIs, and data sources that may introduce security vulnerabilities, compliance gaps, or operational dependencies. This control ensures that all third-party relationships are properly vetted, documented, and monitored throughout their lifecycle.

Description

Vendor and third-party risk management for AI agents extends traditional vendor management to address the unique risks introduced by Power Platform connectors, custom APIs, and external AI services. In financial services, third-party relationships are subject to rigorous regulatory scrutiny, and AI agents that connect to external services must be evaluated for data security, operational resilience, and regulatory compliance.

Key Capabilities

Capability Description FSI Relevance
Connector Inventory Complete catalog of all third-party connectors in use Required for regulatory exams and audits
Vendor Risk Assessment Systematic evaluation of vendor security and compliance Meets OCC 2011-12 and Interagency Guidance requirements
Contract Management Security clauses and SLAs in vendor agreements Ensures contractual protections for data and operations
Ongoing Monitoring Continuous oversight of vendor performance and risk Detects emerging risks and service degradation
Exit Planning Documented procedures for vendor termination Ensures business continuity and data protection

Connector Categories and Risk Levels

Category Examples Risk Level Assessment Frequency
Microsoft First-Party Dataverse, SharePoint, Teams Low Annual
Certified Third-Party Salesforce, SAP, ServiceNow Medium Semi-annual
Independent Publisher Community-created connectors High Quarterly
Custom Connectors Organization-built APIs Medium-High Quarterly
External AI Services OpenAI, third-party LLMs High Quarterly

Prerequisites

Primary Owner Admin Role: AI Governance Lead Supporting Roles: Compliance Officer

Licenses Required

License Purpose Required For
Microsoft 365 E3/E5 Core security and compliance All environments
Power Platform Premium Managed Environments, DLP policies Connector governance
Copilot Studio Agent creation and management Agent governance
Microsoft Purview Data governance and classification Sensitive data controls
Power Platform Admin Admin center access Configuration

Permissions Required

Role Purpose Assignment Method
Power Platform Admin Full admin access, connector policies Entra ID role assignment
Environment Admin Environment-level connector review PPAC assignment
Compliance Administrator Audit and compliance review Entra ID role assignment
Security Reader Security assessment access Entra ID role assignment
Global Reader Read-only access across tenant Entra ID role assignment

Dependencies

Dependency Description Verification
DLP Policies Data Loss Prevention policies configured Check PPAC → Data policies
Managed Environments Environments marked as managed Check PPAC → Environments
Vendor Management Policy Organizational vendor policy exists Review IT governance docs
Contract Management System System for tracking vendor contracts Verify access to contracts
Risk Assessment Framework Standardized risk assessment criteria Review risk management docs

Pre-Setup Checklist

  • [ ] Inventory of current third-party connectors compiled
  • [ ] Vendor management policy reviewed and updated for AI/agent use cases
  • [ ] Risk assessment criteria defined for connector evaluation
  • [ ] Contract templates updated with AI-specific security clauses
  • [ ] Stakeholder roles assigned (Procurement, Legal, Security, Compliance)
  • [ ] Monitoring and alerting requirements documented
  • [ ] Incident response procedures for third-party issues defined

Governance Levels

Baseline (Level 1)

Setting Configuration
Connector Inventory Maintained quarterly
Risk Assessment Basic checklist completed
Contract Review Security clauses present
Monitoring Ad-hoc review

Minimum requirements:

  • Maintain inventory of all third-party connectors and integrations
  • Complete basic vendor risk questionnaire for each vendor
  • Document vendor relationships and contacts
Setting Configuration
Connector Inventory Maintained monthly
Risk Assessment Formal assessment process with scoring
Contract Review Standardized security addendum
Monitoring Quarterly performance reviews
SLA Tracking Documented with alerts

FSI recommendations:

  • Formal vendor assessment process with documented criteria
  • Annual security questionnaires for all critical vendors
  • SLAs documented and tracked
  • Vendor contacts verified and updated

Regulated/High-Risk (Level 4)

Setting Configuration
Connector Inventory Real-time tracking
Risk Assessment Comprehensive vetting with board reporting
Contract Review Legal review with regulatory-specific clauses
Monitoring Continuous with automated alerts
Audit Rights Contractually guaranteed
Exit Plans Documented and tested

FSI requirements:

  • Comprehensive vendor vetting with contractual security requirements
  • Continuous monitoring with automated alerting
  • Audit access logs reviewed weekly
  • Board-level reporting on critical vendor risks
  • Annual on-site assessments for Tier 1 vendors

Setup & Configuration

Setup & Configuration Steps

Step 1: Inventory Third-Party Connectors

  1. Sign in to the Power Platform Admin Center (https://admin.powerplatform.microsoft.com)
  2. Navigate to Analytics > Power Automate or Power Apps
  3. Review connector usage reports across all environments
  4. Export the list of connectors in use
  5. Categorize connectors by:
  6. Publisher type (Microsoft, certified, independent, custom)
  7. Data sensitivity (what data flows through the connector)
  8. Business criticality (impact if connector fails)
  9. Environment placement (Tier 1, 2, or 3)

Document for each connector:

Field Description
Connector Name Official connector name
Publisher Microsoft, verified publisher, or custom
Environments List of environments where used
Data Types What data flows through the connector
Business Owner Internal owner responsible
Risk Classification Low, Medium, High, Critical

Step 2: Assess Vendor Security

For each third-party vendor (non-Microsoft connectors), complete a security assessment:

  1. Request vendor documentation:
  2. SOC 2 Type II report (or equivalent)
  3. Security policies and procedures
  4. Data processing agreements
  5. Incident response procedures

  6. Business continuity plans

  7. Complete security questionnaire covering:

  8. Data encryption (transit and rest)
  9. Access controls and authentication
  10. Audit logging capabilities
  11. Compliance certifications (SOC 2, ISO 27001, FedRAMP)
  12. Data residency and sovereignty
  13. Subprocessor management

  14. Incident notification procedures

  15. Assign risk score based on:

  16. Security posture assessment results
  17. Data sensitivity classification
  18. Business criticality
  19. Regulatory requirements

Step 3: Document Vendor Relationships

Create a vendor relationship record for each third-party service:

  1. Vendor Profile:
  2. Company name and legal entity
  3. Primary contacts (sales, support, security)
  4. Contract dates (start, renewal, termination)

  5. Service level agreements

  6. Security Documentation:

  7. Latest SOC 2 report date
  8. Security questionnaire completion date
  9. Known security issues or findings

  10. Remediation status

  11. Operational Information:

  12. Integration architecture
  13. Data flows and retention
  14. Backup and recovery procedures
  15. Escalation procedures

Step 4: Configure Connector Policies

  1. Navigate to Power Platform Admin Center > Policies > Data policies
  2. Review existing DLP policies for connector classifications
  3. Update policies based on vendor risk assessments:

Policy Configuration by Risk Level:

Risk Level DLP Classification Approval Required Monitoring
Low Business No Standard
Medium Business (with restrictions) Manager Enhanced
High Non-business (blocked by default) Security + Compliance Continuous
Critical Blocked Exception process only Real-time alerts
  1. For high-risk connectors requiring exceptions:
  2. Document business justification
  3. Obtain security team approval
  4. Implement compensating controls
  5. Set review expiration date

Step 5: Establish Monitoring

  1. Configure connector usage monitoring:
  2. Enable audit logging in Microsoft Purview
  3. Create alerts for unusual connector activity

  4. Monitor for new connector deployments

  5. Set up vendor performance tracking:

  6. Track uptime and availability
  7. Monitor latency and error rates

  8. Review SLA compliance monthly

  9. Establish review cadence:

Review Type Frequency Participants
Connector Usage Monthly IT Governance
Vendor Performance Quarterly IT + Business Owners
Security Assessments Annual (minimum) Security + Compliance
Contract Reviews 90 days before renewal Procurement + Legal
Board Reporting Quarterly Executive + Compliance

PowerShell Configuration

Connect to Power Platform

# Install Power Platform admin module
Install-Module -Name Microsoft.PowerApps.Administration.PowerShell -Force

# Connect to Power Platform
Add-PowerAppsAccount

# Verify connection
Get-AdminPowerAppEnvironment | Select-Object DisplayName, EnvironmentName | Format-Table

Get Connectors in Use

# Get all apps across environments
$environments = Get-AdminPowerAppEnvironment

$connectorUsage = @()

foreach ($env in $environments) {
    Write-Host "Scanning environment: $($env.DisplayName)" -ForegroundColor Cyan

    # Get apps in environment
    $apps = Get-AdminPowerApp -EnvironmentName $env.EnvironmentName

    foreach ($app in $apps) {
        # Get app connections (requires app-level access)
        Write-Host "  App: $($app.DisplayName)"
    }

    # Get flows in environment
    $flows = Get-AdminFlow -EnvironmentName $env.EnvironmentName

    foreach ($flow in $flows) {
        Write-Host "  Flow: $($flow.DisplayName)"
    }
}

Write-Host "`nTotal environments scanned: $($environments.Count)"

Export Connector Inventory

# Export detailed connector inventory
function Export-ConnectorInventory {
    param(
        [string]$OutputPath = ".\ConnectorInventory.csv"
    )

    $environments = Get-AdminPowerAppEnvironment
    $inventory = @()

    foreach ($env in $environments) {
        # Get DLP policies for environment
        $dlpPolicies = Get-DlpPolicy | Where-Object {
            $_.environments.name -contains $env.EnvironmentName -or
            $_.environmentType -eq "AllEnvironments"
        }

        $inventory += [PSCustomObject]@{
            EnvironmentName = $env.DisplayName
            EnvironmentId = $env.EnvironmentName
            EnvironmentType = $env.EnvironmentType
            DLPPoliciesApplied = ($dlpPolicies | Measure-Object).Count
            AssessmentDate = Get-Date -Format "yyyy-MM-dd"
        }
    }

    $inventory | Export-Csv -Path $OutputPath -NoTypeInformation
    Write-Host "Exported connector inventory to: $OutputPath" -ForegroundColor Green

    return $inventory
}

# Run export
$connectorInventory = Export-ConnectorInventory -OutputPath ".\VendorConnectorInventory.csv"
$connectorInventory | Format-Table

Review Connector Permissions

# Review DLP policies and connector classifications
function Get-ConnectorPolicyReport {
    $dlpPolicies = Get-DlpPolicy

    $report = @()

    foreach ($policy in $dlpPolicies) {
        Write-Host "`n=== Policy: $($policy.displayName) ===" -ForegroundColor Cyan

        # Get connector groups
        $businessGroup = $policy.connectorGroups | Where-Object { $_.classification -eq "General" }
        $nonBusinessGroup = $policy.connectorGroups | Where-Object { $_.classification -eq "Confidential" }
        $blockedGroup = $policy.connectorGroups | Where-Object { $_.classification -eq "Blocked" }

        $report += [PSCustomObject]@{
            PolicyName = $policy.displayName
            PolicyType = $policy.environmentType
            BusinessConnectors = ($businessGroup.connectors | Measure-Object).Count
            NonBusinessConnectors = ($nonBusinessGroup.connectors | Measure-Object).Count
            BlockedConnectors = ($blockedGroup.connectors | Measure-Object).Count
            CreatedTime = $policy.createdTime
            LastModified = $policy.lastModifiedTime
        }
    }

    return $report
}

$policyReport = Get-ConnectorPolicyReport
$policyReport | Format-Table -AutoSize
$policyReport | Export-Csv -Path ".\DLPPolicyReport.csv" -NoTypeInformation

Monitor Custom Connectors

# Get all custom connectors across environments
function Get-CustomConnectorInventory {
    $environments = Get-AdminPowerAppEnvironment
    $customConnectors = @()

    foreach ($env in $environments) {
        $connectors = Get-AdminPowerAppConnector -EnvironmentName $env.EnvironmentName

        foreach ($connector in $connectors) {
            $customConnectors += [PSCustomObject]@{
                ConnectorName = $connector.displayName
                ConnectorId = $connector.name
                Environment = $env.DisplayName
                Publisher = $connector.properties.publisher
                CreatedBy = $connector.properties.createdBy.displayName
                CreatedTime = $connector.properties.createdTime
                ApiDefinitionUrl = $connector.properties.apiDefinitionUrl
            }
        }
    }

    return $customConnectors
}

$customConnectors = Get-CustomConnectorInventory
Write-Host "`nCustom Connectors Found: $($customConnectors.Count)" -ForegroundColor Yellow
$customConnectors | Format-Table -AutoSize
$customConnectors | Export-Csv -Path ".\CustomConnectorInventory.csv" -NoTypeInformation

Financial Sector Considerations

Regulatory Mapping

Regulation Requirement Control Implementation
OCC 2011-12 Third-party risk management for banks Comprehensive vendor vetting, ongoing monitoring, board reporting
FFIEC IT Examination Handbook Outsourcing technology services Due diligence, contract requirements, business continuity planning
Interagency Third-Party Guidance (2023) Sound risk management throughout relationship lifecycle Planning, due diligence, contract negotiation, ongoing monitoring, termination
GLBA 501(b) Safeguard customer information Vendor data protection requirements, security assessments
SOX 404 Internal controls over financial reporting Vendor controls testing, SOC reports review
FINRA 4511 Books and records requirements Vendor data retention, access to records
Fed SR 11-7 Model risk management (for AI vendors) AI/ML vendor validation, model documentation

Interagency Third-Party Risk Management Guidance (June 2023)

The joint OCC, Federal Reserve, and FDIC guidance establishes the current standard for third-party risk management at banking organizations. Key requirements for AI agent vendor relationships:

Lifecycle Stage Requirements AI Agent Considerations
Planning Sound planning for third-party relationships Identify AI/connector needs, assess alternatives
Due Diligence Comprehensive assessment before engagement AI-specific security review, data handling assessment
Contract Negotiation Appropriate contractual protections AI audit rights, model documentation, incident response
Ongoing Monitoring Continuous oversight throughout relationship Connector usage monitoring, performance tracking
Termination Planning for relationship end Data return/destruction, transition planning

Tier-Specific Vendor Assessment

Assessment Area Tier 1 (Personal Productivity) Tier 2 (Team Collaboration) Tier 3 (Enterprise Managed)
Vendor Vetting Self-certification Basic questionnaire Comprehensive assessment
Security Documentation Optional SOC 2 recommended SOC 2 Type II required
Contract Review Standard terms Legal review Security addendum required
Monitoring Frequency Annual Quarterly Continuous
Audit Rights Not required Recommended Required
Exit Planning Optional Documented Tested annually
Board Reporting None Summary Detailed risk report

FSI Example: Regional Bank Vendor Risk Program

Organization: Regional Community Bank
Environment: FSI-Zone3-Core-Banking-Agents

Vendor Risk Management Configuration:
  Program Scope:
    Tier 1 Vendors: Critical services, direct customer data access
    Tier 2 Vendors: Important services, limited data access
    Tier 3 Vendors: Convenience services, no sensitive data

  Third-Party Connectors:
    Approved Connectors:
      Microsoft First-Party:
        - Microsoft Dataverse
        - SharePoint Online
        - Microsoft Teams
        - Office 365 Users
        - Azure Key Vault
        Risk Level: Low
        Assessment: Annual

      Certified Connectors:
        - Salesforce (CRM integration)
        - DocuSign (document signing)
        - Adobe Sign (backup signing)
        Risk Level: Medium
        Assessment: Semi-annual
        SOC 2 Required: Yes

    Restricted Connectors:
      - All social media connectors
      - Consumer cloud storage
      - Public AI services without BAA

  Assessment Requirements:
    All Tier 1 Vendors:
      - SOC 2 Type II report (current within 12 months)
      - Completed security questionnaire (200+ questions)
      - On-site assessment (every 2 years)
      - Financial viability review
      - Business continuity test results

    All Tier 2 Vendors:
      - SOC 2 Type II report
      - Completed security questionnaire (50+ questions)
      - Virtual assessment acceptable

    All AI/ML Vendors:
      - Model documentation and validation
      - Data handling and retention policies
      - Bias testing results
      - Explainability documentation

  Contract Requirements:
    Standard Clauses:
      - Data protection and encryption requirements
      - Incident notification (24 hours for critical)
      - Audit rights (annual minimum)
      - Subprocessor approval requirements
      - Data return/destruction on termination

    AI-Specific Clauses:
      - Model change notification
      - Training data requirements
      - Output monitoring rights
      - Human oversight provisions

  Monitoring Program:
    Continuous Monitoring:
      - Connector usage analytics
      - Error rate tracking
      - Performance SLA compliance

    Periodic Reviews:
      Quarterly:
        - Vendor performance scorecards
        - Security finding status
        - Contract compliance
      Annual:
        - Full risk reassessment
        - Contract renewal evaluation
        - Board risk report

  Governance:
    Vendor Risk Committee:
      Chair: Chief Risk Officer
      Members:
        - CISO
        - Chief Compliance Officer
        - Head of Procurement
        - Business Unit Representatives
      Meeting Frequency: Monthly

    Escalation Thresholds:
      Board Notification:
        - New Tier 1 vendor approval
        - Significant vendor incidents
        - Material contract changes
        - Vendor termination (Tier 1)

Zone-Specific Configuration

Zone 1 (Personal Productivity):

  • Apply a baseline minimum of Vendor and Third-Party Risk Management controls that impacts tenant-wide safety (where applicable), and document any exceptions for personal agents.
  • Avoid expanding scope beyond the user’s own data unless explicitly justified.
  • Rationale: reduces risk from personal use while keeping friction low; legal/compliance can tighten later.

Zone 2 (Team Collaboration):

  • Apply the control for shared agents and shared data sources; require an identified owner and an approval trail.
  • Validate configuration in a pilot environment before broader rollout; retain evidence (screenshots/exports/logs).
  • Rationale: shared agents increase blast radius; controls must be consistently applied and provable.

Zone 3 (Enterprise Managed):

  • Require the strictest configuration for Vendor and Third-Party Risk Management controls and enforce it via policy where possible (not manual-only).
  • Treat changes as controlled (change ticket + documented testing); retain evidence (screenshots/exports/logs).
  • Rationale: enterprise agents handle the most sensitive content and are the highest audit/regulatory risk.

Verification & Testing

Step Action Expected Result
1 Review connector inventory document Complete list of all third-party connectors
2 Check vendor security assessments Current assessments for all Tier 1/2 vendors
3 Verify contracts have security clauses Required clauses present in all vendor contracts
4 Confirm vendor access is monitored Audit logs showing connector activity
5 Test DLP policy enforcement Blocked connectors cannot be used
6 Review board reporting Quarterly vendor risk reports delivered
7 Verify incident response procedures Documented and tested for vendor issues

Troubleshooting & Validation

Issue: Unable to Identify All Third-Party Connectors

Symptoms: Incomplete connector inventory, unknown connectors discovered during audits

Solutions:

  1. Run PowerShell scripts to enumerate connectors across all environments
  2. Review Power Platform analytics for connector usage
  3. Check audit logs in Microsoft Purview for connection activity
  4. Enable connector activity alerts for new deployments
  5. Survey environment admins for custom connector usage

Issue: Vendor Fails to Provide SOC 2 Report

Symptoms: Vendor cannot provide required security documentation

Solutions:

  1. Accept alternative certifications (ISO 27001, FedRAMP)
  2. Request bridge letter if report is pending
  3. Conduct independent security assessment
  4. Implement compensating controls (enhanced monitoring)
  5. Escalate to vendor risk committee for risk acceptance or termination

Issue: Custom Connector Security Concerns

Symptoms: Custom connectors created without security review

Solutions:

  1. Implement pre-deployment security review process
  2. Enable Managed Environments to control solution deployment
  3. Use solution checker to identify security issues
  4. Require code review for custom connector APIs
  5. Block custom connector creation except in designated environments

Issue: Vendor Incident Notification Delayed

Symptoms: Vendor security incident not reported timely

Solutions:

  1. Review contract for notification requirements
  2. Assess impact to organization and report internally
  3. Document timeline of vendor notification
  4. Update vendor risk score based on incident handling
  5. Consider contract remediation or termination

Issue: DLP Policies Not Blocking Connectors as Expected

Symptoms: Users able to use connectors that should be blocked

Solutions:

  1. Verify DLP policy is applied to correct environments
  2. Check for conflicting policies (least restrictive wins)
  3. Confirm connector is correctly classified in policy
  4. Wait for policy propagation (up to 1 hour)
  5. Verify environment is marked as Managed

Additional Resources

Control Relationship
Control 1.4: Advanced Connector Policies Connector-level security policies
Control 1.5: Custom Connector Certification Custom connector security review
Control 1.6: DLP Policies Data Loss Prevention configuration
Control 2.1: Managed Environments Environment-level governance
Control 2.2: Environment Groups Group-level policies
Control 2.3: Change Management Solution deployment controls
Control 3.4: Audit Logging Activity monitoring

Support & Questions

For implementation support or questions about this control, contact:

  • AI Governance Lead: Governance direction and policy
  • Compliance Officer: Regulatory requirements and reporting
  • Security Team: Vendor security assessments
  • Procurement: Contract management and vendor relationships
  • Technical Implementation Team: Platform configuration

Updated: Dec 2025
Version: v1.0 Beta (Dec 2025)
UI Verification Status: ❌ Needs verification