nerdexam
Isaca

AAISM · Question #185

When evaluating a third-party AI service provider, which master services agreement (MSA) provision is MOST critical for managing security risk?

The correct answer is C. Prohibiting the use of customer data for model training. If a third-party AI provider uses customer-submitted data to retrain or fine-tune their models, that sensitive data could be embedded in model weights, surfaced in responses to other customers, or exposed in a breach-a critical confidentiality and compliance risk, especially for

AI Security Risk Management

Question

When evaluating a third-party AI service provider, which master services agreement (MSA) provision is MOST critical for managing security risk?

Options

  • AGuaranteeing unlimited model retraining requests
  • BSharing real-time log information
  • CProhibiting the use of customer data for model training
  • DRestricting query volume thresholds

How the community answered

(26 responses)
  • A
    4% (1)
  • B
    12% (3)
  • C
    77% (20)
  • D
    8% (2)

Explanation

If a third-party AI provider uses customer-submitted data to retrain or fine-tune their models, that sensitive data could be embedded in model weights, surfaced in responses to other customers, or exposed in a breach-a critical confidentiality and compliance risk, especially for financial institutions subject to data protection regulations. This provision directly addresses data sovereignty and prevents unintended data leakage through the AI supply chain. Log sharing, retraining request limits, and query volume thresholds are operational or performance concerns that do not carry the same security and regulatory weight.

Topics

#Third-party AI risk#MSA security provisions#Data usage restrictions#Model training data security

Community Discussion

No community discussion yet for this question.

Full AAISM Practice