Episode Details
Back to Episodes“Notes on axes of variation in third-party risk assessment” by Buck
Description
There are many different activities that could be described as "third-party risk assessment". Here are some distinctions that I’ve found helpful thinking about the space over the last few weeks.
(Thanks Ajeya Cotra and Paul Christiano for discussions that inspired most of this.)
Throughout this, I refer to the actors as:
- Developers.
- Stakeholders. These are the people who want to be informed about risks. Possible stakeholders include: governments, the public, the developer's board, the developer's employees.
- The choice matters because one of the roles of an auditor is to review confidential info that they then do not directly disclose to stakeholders, they only tell them their conclusions. This is a more important role if the developer is more concerned about disclosing confidential information to the stakeholder.
- Third parties. I don't know a better term for "independent actors who contribute in various ways to a stakeholder's understanding of risks through producing and evaluating evidence and/or arguments". Like, it's weird to call the physical security pentesting firm a "risk assessor". And AI Lab Watch isn't really an "auditor". And "evaluator" makes it sound like they run model evals.
The next step in the analysis will be to think about [...]
---
Outline:
(01:36) Axes
(01:39) Fact generation vs evidence analysis
(06:31) Laundering private evidence into sharable conclusions?
(13:34) Incentive compatibility vs calibration
(14:35) Current risk vs preparedness
(15:06) Cross-developer comparability
(16:34) Examples, classified against the axes above
---
First published:
May 31st, 2026
---
Narrated by TYPE III AUDIO.
---
Images from the article:
Apple Podcasts and Spotify do not show images in the episode description. Try Pocket Casts, or another podcast app.