AI Tools and the TPRM Blind Spot in Manufacturing
Artificial intelligence (AI) tools are increasingly entering manufacturing environments through existing enterprise software without formal contracts, due diligence processes, or third-party risk management (TPRM) triggers. This hidden integration creates a significant compliance gap, as illustrated by multiple real-world conversations with compliance leaders across the sector.
How AI Enters Without Detection
Typical procurement workflows—contract signing, purchase orders, and IT access requests—do not capture AI feature roll-outs. Vendors often release new capabilities via changelog entries that are rarely read by procurement teams. Consequently, a tool approved years ago can acquire generative AI functions overnight, altering the risk profile without any TPRM workflow activation.
Manufacturing‑Specific Risks
Manufacturing data is highly sensitive, encompassing proprietary formulations, decades‑long research and development parameters, raw material terms, and sometimes dual‑use specifications subject to EU export controls or the U.S. Export Administration Regulations (EAR). When this data is processed by foundation models whose operators, training methods, and data‑retention policies are unknown, existing data‑processing agreements (DPAs) cannot mitigate the exposure.
Regulatory Pressure: The EU AI Act
Article 26 of the EU AI Act obliges manufacturers to document AI system purposes, monitor outputs, and retain evidence of controls. Non‑transparent AI components—those that were never identified—cannot satisfy these obligations, exposing firms to regulatory findings regardless of intent.
The Hidden Sub‑Processor Chain
In many cases, the vendor providing the SaaS solution is only the third party. The foundation model powering the AI feature (e.g., OpenAI, Anthropic, Google DeepMind) represents a fourth party, and the underlying infrastructure may involve a fifth party. Mapping this extended chain is especially challenging in tier‑1 supplier‑heavy manufacturing environments.
Three Targeted Changes to Close the Gap
1. Decouple AI Intake from Commercial Events
Implement a workflow that triggers a TPRM reassessment whenever a vendor release note or changelog mentions AI or large language model functionality, irrespective of any purchasing activity. For predictable update cycles—such as SAP S/4HANA, PTC Windchill, or Siemens Teamcenter—this can be managed through scheduling rather than new technology investments.
2. Add an AI‑Specific Addendum to Due Diligence Questionnaires
Enhance existing questionnaires (e.g., SIG, CAIQ) with mandatory fields that capture:
- The identity of every AI model used and its provider.
- Whether customer data is used for model training.
- A current sub‑processor list specific to AI functionality.
- Evidence of ISO/IEC 42001 certification or a roadmap toward it.
- For export‑controlled data, the geographic location of model inference.
Vendors unable to provide these details have not adequately assessed their AI exposure.
3. Expand TPRM Governance Participation
Traditional TPRM committees in manufacturing consist of legal, procurement, and IT security representatives. Incorporate the CISO, data privacy officer, and operational technology (OT) security experts to ensure AI risk receives appropriate attention and expertise.
Conclusion
Manufacturers face a silent but growing AI risk that bypasses conventional TPRM controls. By instituting AI-triggered reassessments, enriching due-diligence questionnaires, and broadening governance teams, organizations can illuminate the blind spot and align with emerging regulatory expectations. These focused adjustments require minimal investment yet deliver substantial risk reduction, safeguarding both proprietary data and compliance standing.
