Third-party LLMs process organizational data—including sensitive and proprietary information—during both training and inference. The vendor's data handling practices determine whether the organization's data remains private, secure, and compliant with legal obligations.
Why D is Correct: According to ISACA AAIR third-party risk guidance, data handling practices are the most critical evaluation criterion for AI vendors. How the vendor uses input data—whether for model training, analytics, or retention—directly determines data privacy risk, intellectual property exposure, and regulatory compliance. Vendors who train on customer input data without restriction create significant privacy and confidentiality risks.
Why A is Wrong: SLA alignment with corporate strategy addresses availability and performance obligations. While important, these commercial terms do not address the fundamental data risk created by vendor data handling practices.
Why B is Wrong: ML method selection reflects technical sophistication but does not determine data risk. The risk profile is driven by data governance, not algorithmic choice.
Why C is Wrong: Subscription models represent commercial and procurement considerations. Pricing structure has no bearing on data privacy risk or the organization's risk exposure from vendor data practices.
Submit