Provider-Deployer Boundary An oversight gap arises because the provider cannot observe how the deployer uses the system, and the deployer cannot observe the system’s internal behaviour. Provider-side PMM relies on deployer data; the deployer’s oversight relies on Instructions for Use from the provider. If either side fails, the oversight chain breaks. The provider defines minimum oversight reporting requirements for deployers (override rates, complaint volumes, anomalous observations) and establishes contractual obligations and practical mechanisms for reporting. The provider aggregates deployer reports across its deployment base and monitors for cross-deployer patterns that individual deployers cannot see. The deployer agreement specifies escalation procedures that cross the organisational boundary, including deployer access to the provider’s incident reporting team and the provider’s access to the deployer’s oversight data. Key outputs

• Minimum deployer reporting requirements defined contractually
• Provider aggregation of cross-deployer patterns
• Bidirectional escalation across the organisational boundary
• Module 7 and Module 11 AISDP documentation

Joint Ventures & Partnerships Where multiple organisations jointly develop or operate a high-risk system, compliance responsibility allocation must be contractually explicit. Article 25 assigns obligations to the provider; one organisation is designated as provider and others must understand their obligations as importers, distributors, or deployers. The operational oversight framework specifies which organisation monitors which aspects, how escalations cross organisational boundaries, and how joint governance decisions are made. A joint governance committee, meeting quarterly, reviews the shared system’s compliance posture and resolves inter-organisational issues. Key outputs

• Contractually explicit compliance responsibility allocation
• Article 25 provider designation
• Inter-organisational escalation and governance protocols
• Joint governance committee for shared systems

Platform & Marketplace Deployments Systems deployed through cloud platforms or AI marketplaces introduce a three-party relationship: the model provider, the platform operator, and the deployer. The platform operator may host inference infrastructure, manage the API, and mediate the provider-deployer relationship. Oversight responsibilities are allocated across all three parties. The AISDP documents the platform operator’s role, the data flows between parties, and the contractual provisions for monitoring and incident response. Gaps in the three-party allocation are identified and mitigated; a platform operator that refuses to share operational telemetry with the provider creates a monitoring blind spot that the AISDP must document. Key outputs

• Three-party oversight responsibility allocation
• Platform operator role documented in AISDP
• Data flow and contractual provision documentation
• Monitoring blind spots identified and mitigated