How do TOMs and vendor governance apply to AI systems?
Technical and organisational measures (TOMs) define the security and data protection controls that apply to an AI system when it processes personal data. Vendor governance adds a layer of accountability for third-party AI systems — ensuring that the provider's TOM profile, data processing agreements, and system documentation meet the deployer's governance requirements.
For AI systems involving personal data, both TOMs and vendor governance must be documented as part of the compliance record that connects GDPR and AI Act obligations.
Key points
- TOM profiles for AI systems must address AI-specific risks: model integrity, training data governance, inference logging, access controls, and output monitoring.
- Vendor governance requires documented assessment of whether a third-party AI provider meets the deployer's GDPR and AI Act requirements.
- Processor agreements under GDPR and provider documentation under the AI Act must be connected — not managed as separate compliance tracks.
- Changes in vendor configuration, pricing tier, or terms of service may trigger re-assessment of both TOM adequacy and AI governance status.
Why it matters
Most organizations use third-party AI systems. The deployer cannot outsource governance responsibility to the vendor. TOM documentation and vendor governance create the evidence that the deployer has assessed, documented, and accepted the risk of using a third-party system within its own governance framework.
How EAB approaches this
EAB's TOM Profiles capture technical and organisational measures per AI system. Vendor Governance documents third-party assessments. Both connect to the AI system record through the GDPR–AI Act Bridge, creating a unified governance view across data protection and AI compliance.