REFERENCE · §5 · LAST REVIEWED 2026-04-27
ACF §5 — Vendor Due Diligence
Vendor due diligence for agent stacks extends traditional third-party risk assessment to cover foundation-model providers (Anthropic, OpenAI, Google), MCP server operators, agentic-harness authors, and individual tool publishers — each carrying distinct risk that conventional vendor questionnaires miss.
A regulated firm’s third-party risk programme typically covers SaaS vendors and core service providers. Agent stacks introduce new categories: a foundation model provider whose update cadence may shift behaviour without notice; MCP servers offering tools the agent can call; community-published tools whose authors may be unknown. Each requires bespoke due diligence: model provenance, training-data assertions, change-management commitments, MCP-server identity verification, and tool-author trust scoring. Maps to FCA SYSC 8 outsourcing, DORA TPP requirements, EBA outsourcing guidelines.
Regulatory anchors
- FCA SYSC 8
- DORA Art. 28-44
- EBA Outsourcing GL
- EU AI Act Art. 25
- ISO 42001 §8.3
What this covers
- Foundation-model provider DD: provenance, change cadence, training-data assertions
- MCP-server identity verification and capability disclosure
- Tool-author trust scoring and provenance
- Concentration risk across the agent stack
- Exit-strategy planning when model behaviour drifts
Common gaps
- Vendor questionnaire from 2018 has no fields for AI-specific risks
- No mechanism to detect model-version change at the provider
- MCP servers are added without documented owner approval
- Concentration risk: 100% of agent calls go to one provider with no fallback
Related sections
- §7 — Operational Resilience
What happens when the agent goes down mid-transaction.
- §8 — Third-Party Risk
Outbound API calls made by the agent on behalf of the firm.
- §6 — Performance Monitoring
Drift, hallucinations, and other performance regressions that produce regulatory breaches.
- §10 — Data Governance
Training data, prompt caching, retention, and the regulator-facing posture for each.
Take action
Score your firm's readiness across all twelve dimensions with the Agent Compliance Scorecard →
Reference compiled by Sebastian Heine. Editorial perspective at The SHeine Brief.