Models licensed from commercial API providers present a different risk profile from open-source components. The provider may refuse to disclose training data composition, model architecture details, or fairness evaluation results, citing trade secrets. This creates documentation gaps in the AISDP that must be addressed.

The vendor due diligence questionnaire (prepared during Phase 1) should capture the provider’s willingness to supply the information required by Annex IV. Where disclosures are insufficient, the AI System Assessor records the gaps as non-conformities and assesses whether the organisation can compensate through its own testing and evaluation of the model’s outputs. The Article 25(3) information request framework provides the legal basis for requesting specific information from GPAI providers.

Contractual terms carry compliance implications. Service level agreements should address availability, latency, and throughput guarantees relevant to the system’s operational requirements under Article 15. Terms of service may grant the provider broad data usage rights, limit the provider’s liability, or disclaim responsibility for downstream use. The Legal and Regulatory Advisor reviews these terms and assesses the resulting gap in risk allocation.

The AISDP documents the provider’s contractual commitments, the organisation’s assessment of their adequacy, and the residual risks where contractual protections are insufficient. Change notification commitments are particularly important: if the provider may silently update the model within a version identifier, the organisation faces uncontrolled behavioural drift that undermines the AISDP’s traceability.

Key outputs

• Vendor due diligence questionnaire responses
• Contractual terms analysis
• Documentation gap assessment with compensating controls