Where Does AI/TPRM Live Within an Organization?
- Heather Kadavy
- 4 hours ago
- 4 min read
Navigating Ownership, Oversight, and Expertise in the Age of Artificial Intelligence
As artificial intelligence (AI) adoption accelerates across industries, organizations are grappling with a new challenge: where should AI risk management, and specifically AI-related Third Party Risk Management (TPRM), live within the enterprise?
While some organizations assign ownership to existing structures like IT, model risk management, or cybersecurity, others manage AI/TPRM through risk committees or distributed governance models. However, as AI becomes embedded in everything from third party software to operational decision making, defining accountability and expertise is more critical than ever.
This blog explores the current state of organizational ownership of AI/TPRM, the challenges of fragmented accountability, and the evolving landscape of AI risk governance.
The Current Reality: Distributed Ownership, Fragmented Accountability
Most organizations are still in the early stages of formalizing how AI and third party risk intersect. The result is a patchwork of ownership that reflects historical structures rather than emerging needs.
Common Models of AI/TPRM Ownership:
Model | Typical Owner | Strengths | Challenges |
IT Ownership | CIO or Head of IT | Deep technical knowledge; integration visibility | Focused on enablement over risk; limited governance scope |
Cybersecurity Ownership | CISO or Security Team | Expertise in data protection, privacy and threat management | May overlook model bias, ethics and performance risk |
Model Risk Management (MRM) | CRO, Enterprise Risk or Finance | Familiar with validation frameworks and model governance | Not all AI tools qualify as “models”; hard to scale across third parties. |
Enterprise Risk Management | Chief Risk Officer | Holistic view of risk across functions | May lack the technical fluency needed to assess AI-specific risks |
Governance Committee or AI Council | Cross Functional Groups | Encourages shared accountability | Decision-making can be slow; unclear escalation or ownership paths |
In practice, AI/TPRM often lives everywhere and nowhere at all. This distributed reality makes it difficult to establish clear accountability, consistent controls, or effective monitoring.
The Expertise Dilemma: Interest, Enthusiasm, and Illusion
AI governance has quickly attracted attention across business functions. Within most organizations, there are three groups emerging:
The Interested: Professional who wants to understand AI’s risk and opportunities but lack hands-on experience.
The Aspiring Expert: Individual who follows AI trends and participates in governance conversations but may not yet grasp the nuances of model architecture or data provenance.
The Actual Experts: Technologist, data scientist, and risk professionals who understand both the technical and ethical implications of AI.
The challenge is not a shortage of passion, it's a shortage of true multidisciplinary expertise. AI/TPRM sits at the intersection of technology, ethics, and compliance, few individuals or departments are fluent in all three.
To close this gap, organizations must create intentional learning pathways and collaborative governance structures that balance subject matter expertise with enterprise risk accountability.
Governance in Practice: Moving Towards a Federated Model
A leading practice emerging across industries is a federated governance model for AI and TPRM. This structure combines distributed ownership with centralized oversight.
Key Features of a Federated Model
Central Oversight Body – An AI Risk or Governance Committee that sets policy standards, and reporting expectations.
Functional Ownership – Each business or function (e.g., IT, Cyber, Risk, Legal, Procurement, etc.) owns execution of AI/TPRM controls relevant to their domain.
Integration with TPRM – Third party due diligence processes are expanded to include AI-specific assessment covering model transparency, ethical design, data sourcing, and bias testing.
Continuous Monitoring – Establish ongoing oversight for AI-enabled third party tools, especially for evolving and retraining models.
This model encourages shared responsibility while ensuring decisions align with enterprise-level risk appetite and ethical standards.
A Practical Path Forward
Organizations can begin clarifying AI/TPRM ownership with the following steps:
Map Current Ownership – Identify where AI activities and risk currently reside(within IT, Cyber, Risk or elsewhere).
Establish an AI Governance Charter – Define roles, responsibilities, and decision rights for all AI-related risk activities, including third party AI vendors.
Integration of AI Risk into TPRM Frameworks – Update third party due diligence questionnaires/assessments and monitoring processes to include AI use, transparency, and data ethics.
Create a Skills Development Roadmap – Offer training that bridges the technical, operational and ethical dimension of AI risk.
Promote Transparency and Communication – Encourage open dialogue between those who “build”, those who “buy”, and those who “govern” AI.
Where AI/TPRM “lives” is not a static question, it's a reflection of how mature an organization is in managing emerging risk. Ownership will likely evolve over time, shifting from isolated functions to integrated governance models.
Ultimately, the goal isn’t to decide whether IT, Cyber, or Risk “owns” AI. It's to ensure that someone is accountable, that the process is transparent, and decisions are made responsibly.
AI will continue to reshape third party risk management. Those who establish clarity of ownership today will be better equipped to manage the risks and seize the opportunities of tomorrow.
Author Bio
Heather Kadavy
Senior Membership Success Coordinator
Heather Kadavy joined the Third Party Risk Association (TPRA) in 2023 as the Senior Membership Success Coordinator. In recent year(s) Heather has been providing freelance TPRM consulting work to various organizations after retiring from a Nebraska financial institution after nearly 35 years where she oversaw and managed critical programs of the organization including Third Party Risk Management, Information Security,
Physical Security, Safety, Business Recovery, Financial Crimes, Model Risk Management, and Enterprise Risk Management. In her TPRM role she had oversight of over a thousand third party relationships, systems, due diligence reviews and contract management activities. She developed, facilitated, and implemented training programs for thousands of employees over the years.
Heather is a natural born connector of people and values relationship building at the cornerstone of her career. She encourages you to connect with TPRA and herself via LinkedIn to join in the "TPRM Global Conversation".