DARR
MR-065 Third party & supply chain Both scope

Vendor model version churn and undisclosed updates

A third-party model or service changes behavior through provider-side updates or version changes the deployer did not initiate and may not be notified of, silently shifting outputs and performance.

Risk family
Third party & supply chain
MIT domain
n/a (ISO-derived)
MIT subdomain
n/a
AI type
GPAI, Agentic
Scope
Both
Source standard
ISO/IEC 23894 + 42001 (gap analysis)

Provenance

Source standard
ISO/IEC 23894 + 42001 (gap analysis)
Source frameworks
ISO/IEC 42001:2023, ISO/IEC 23894:2023
ISO/IEC references
42001 Annex A, A.10.3 and A.6.2.6; 23894 clause 6.4.2.3 source area 10 and Annex B.7
GPAI Code of Practice
Transparency Ch. Commitment 1 | S&S Ch. Commitments 1-10
Nearest MIT-derived risk
MR-058 Model performance drift: drift is passive internal degradation, not a supplier-pushed change the deployer cannot control.

Framework crosswalk

Every framework item mapped to this risk. Items marked partial overlap only in part; definitions appear on hover where the source licence permits.

Sourcesframeworks that contributed to the register
ISO 420012
  • A.10.3 ISO/IEC 42001 Annex A A.10.3
  • A.6.2.6 ISO/IEC 42001 Annex A A.6.2.6
EU AI Act2
  • CoP S&S Ch. Commitments 1-10
  • CoP Transparency Ch. Commitment 1

More in Third party & supply chain

Part of the Deployer AI Risk Register, an open-source resource developed by MindXO. Version 1.0, 3 July 2026. Derived from the MIT AI Risk Repository (V4, December 2025) under CC BY 4.0; an independent derivative work, not endorsed by or affiliated with MIT. Sub-risk decomposition references MITRE ATLAS™ v5.6.0 (© 2021-2026 The MITRE Corporation, reproduced and distributed with permission). ISO/IEC and EU AI Act references are by number only. License: CC BY 4.0. Full attribution and licensing.