This informational item captures a structural risk trend rather than a discrete vendor vulnerability: organizations integrating third-party AI data vendors, model providers, and AI-enabled SaaS platforms are creating attack surfaces that existing third-party risk management frameworks were not designed to evaluate, particularly around training data poisoning and model weight exfiltration. Security teams should inventory all third-party AI data dependencies, extend vendor risk assessment processes to cover AI-specific data isolation and incident response questions, and map control gaps against NIST SP 800-53 SR family and the NIST AI Risk Management Framework. No CVE, patch, or KEV status applies; this is a governance and preparedness priority.