Board's Close Brush with AI: A Lesson from McDonald's AI Mishap
Effectively managing third-party AI vendor risks, particularly in regards to incentives, skill, and cybersecurity, requires a proactive, structured, and ongoing approach at the board and executive level. Below are best practices tailored to these critical areas.
---
## Incentives
Boards and executives should review contractual agreements to ensure incentives for AI vendors are explicitly linked to security and compliance outcomes. This alignment helps ensure vendors are motivated to prioritise security and transparency. Regularly assess vendor performance against contractual obligations and incentive structures using key performance indicators (KPIs) tied to security incidents, audit results, and compliance certifications. This ongoing monitoring can highlight misaligned incentives early, allowing for timely intervention.
---
## Skill
Evaluate the vendor’s team composition, certifications, and track record in AI and cybersecurity. Look for evidence of formal training, certifications (e.g., CISSP, CISM, vendor-specific AI credentials), and participation in industry consortia or standards bodies. Assess whether the vendor’s information security management system (ISMS) is mature, regularly updated, and ideally certified against standards like ISO 27001 or SOC 2. During onboarding, perform in-depth due diligence that includes interviews, reference checks, and review of past incident responses. Scrutinise the vendor’s hiring practices, employee turnover rates, and access to ongoing training and professional development. Compare the vendor’s processes and skill levels to recognised frameworks and regulatory requirements (e.g., NIST CSF, PCI DSS, GDPR) to identify gaps and ensure the vendor’s capabilities meet or exceed industry norms.
---
## Cybersecurity
Adopt a multi-stage vendor risk management (VRM) framework that starts with a comprehensive initial risk assessment, followed by ongoing monitoring and periodic reassessment. This process should cover the vendor’s cybersecurity policies, data protection practices, compliance efforts, and incident response capabilities. Assess the vendor’s implementation of strong access controls (e.g., MFA, least privilege), data encryption (both at rest and in transit), and vulnerability management (including patch cadence and handling of zero-day vulnerabilities). Review the vendor’s incident response and disaster recovery plans for clarity, effectiveness, and communication protocols—especially regarding timely notification in the event of a breach involving your data. Identify and assess risks posed by the vendor’s own suppliers (fourth parties), as vulnerabilities in their service provider network can also impact your organisation’s security posture. Utilise automated vendor risk management platforms and security rating tools to continuously monitor the vendor’s security posture and compliance status. These tools can provide real-time alerts and objective evidence of security performance.
---
## Ongoing Governance and Oversight
Maintain active board and executive engagement by receiving regular updates on third-party AI vendor risks and mitigation efforts. Executives must ensure that vendor risk management is integrated into the broader enterprise risk management (ERM) framework, with clear accountability at the C-suite level. Prepare for potential vendor failures by developing contingency plans, such as identifying backup vendors and establishing clear incident response protocols. Regularly test these plans to ensure operational resilience.
---
## Summary Table: Key Assessment Criteria
| Area | Best Practices | |-----------------|-----------------------------------------------------------------------------------------------| | Incentives | Align contracts with security outcomes; monitor performance; adjust penalties/rewards as needed | | Skill | Assess certifications, training, and maturity; benchmark against standards; conduct due diligence | | Cybersecurity | Implement structured risk assessments; scrutinise controls; monitor continuously; assess fourth parties |
---
By systematically addressing incentives, skill, and cybersecurity through rigorous assessment, continuous monitoring, and clear governance, boards and executives can significantly reduce the risks posed by third-party AI vendors.
Recent events have highlighted the risk of relying on third-party AI vendors, as demonstrated by the near-miss incident involving McDonald's and its tech vendor, Paradox, running its hiring chatbot. Security researchers Ian Carroll and Sam Curry accessed a dormant Paradox test account belonging to McDonald's and viewed seven chat records containing sensitive personal data. The security researchers promptly reported the flaw to McDonald's and the vendor for swift technical resolution to prevent potential misuse.
Many executives struggle to articulate how AI will drive competitive advantage, despite expecting increased agentic AI spending this year. Ivan Rahman, CEO of Avistar.AI, emphasises that if AI is deployed without basic security hygiene, it endangers people, and security is not optional.
Boards and executives should involve the CIO and CFO in the evaluation of AI vendors' cybersecurity practices, as the alignment of incentives, skill, and cybersecurity is crucial for creating a Trusted AI that does not pose a significant business risk. The CIO and CFO can collaborate in assessing the vendor's incident response plans, data protection practices, and vulnerability management, ensuring the adoption of industry-standard security controls like MFA, data encryption, and patch cadences.
In the realm of Responsible AI governance, it is essential to ensure the active involvement of the CIO and CFO in overseeing the vendor's cybersecurity posture and staying informed about potential risks to the business. This ongoing collaboration is vital for maintaining a secure and compliant AI ecosystem that consistently drives competitive advantage and avoids incidents like the near-miss with McDonald's and Paradox.
