Black Kite Global Adaptive AI Assessment Framework™ (BK-GA³™)

by the Black Kite Research Group™ · Developed in consultation with Shared Assessments 

AI has proliferated faster than the risk frameworks built to govern it. For third-party risk management teams, that gap has become a liability. Every new vendor introduces an AI surface that the SIG, ISO 27001, or a sector-specific framework was never designed to evaluate. And the patchwork of AI-specific assessments now in market, each tied to a single industry, geography, or regulatory body, only deepens the blind spots.

The Black Kite Global Adaptive AI Assessment Framework™ (BK-GA³™) was built to close that gap. Developed by the Black Kite Research Group in consultation with Shared Assessments and released as a free open standard, BK-GA³™ synthesizes hundreds of unique requirements drawn from more than 50 international assessment frameworks (including ISO, NIST, and the Shared Assessments SIG) into a single, adaptive system that evolves alongside the AI threat landscape.

The result is the first third-party AI risk assessment framework that works the same way everywhere, across every vendor, every region, every regulator. A dedicated working committee keeps it current as new threats emerge, and built-in intelligence from open-source research and the Black Kite Research Group ensures it reflects what attackers are actually doing, not just what compliance bodies have caught up to.

This framework is your blueprint for assessing third-party AI risk consistently, wherever your vendors operate and whatever regulations they fall under.

READ THE INTERACTIVE FRAMEWORK (No download required)

Why a Global AI Risk Assessment Framework Is Needed Now

AI adoption has outpaced traditional risk frameworks

The pace of AI adoption inside enterprise vendor ecosystems has outrun every traditional cyber risk framework on the market. Models are being embedded into vendor products faster than questionnaires can be updated, and most existing assessments lack the language, the control categories, and the threat context required to evaluate AI-specific risk at all.

AI assessments are fragmented across 50+ overlapping frameworks

The current landscape includes dozens of AI risk frameworks split by industry, geography, and regulator, forcing TPRM teams to reconcile conflicting requirements vendor by vendor. Without a shared foundation, organizations end up bolting together partial coverage from multiple frameworks and still leaving AI-specific gaps unassessed. Most of those frameworks update on a multi-year cycle, while AI threat vectors evolve in months.

ISO and NIST don't fully cover AI-specific risk

ISO 27001 and the NIST family remain essential for baseline cyber hygiene, but they were designed before generative AI, agentic AI, and model-supply-chain risk were operational concerns. BK-GA³™ maps to those standards while extending them with the AI-specific controls TPRM teams need today.

Core Capabilities of the BK-GA³™ AI Risk Framework

Adaptive framework maintained by a dedicated working committee

BK-GA³™ is regularly updated by a dedicated working committee to reflect new AI threats and emerging assurance standards. Updates are driven by what's happening in the wild, not by regulatory cycles.

Maps directly to ISO, NIST, and the Shared Assessments SIG

The framework aligns to established standards rather than replacing them, so existing compliance work is extended, not thrown out. Designed to be applicable globally, BK-GA³™ removes the need to maintain separate AI risk programs by region or regulator.

Synthesizes hundreds of requirements from 50+ frameworks into one standard

Hundreds of unique requirements were evaluated across more than 50 established frameworks and distilled into a single, focused standard. The result: one framework that applies the same lens to every vendor in your third-party ecosystem, surfacing AI control gaps efficiently.

Includes OSINT and Black Kite Research Group threat intelligence

BK-GA³™ considers open-source intelligence sources alongside curated insights from the Black Kite Research Group, so the framework stays aligned with the AI threats actually being exploited, not the ones documented two compliance cycles ago.

What's Inside the BK-GA³™ Framework

Executive Summary: The case for a unified AI risk assessment standard

A clear articulation of the problem BK-GA³™ solves and the value of consolidating fragmented AI assessments into a single global framework.

Background: Why traditional frameworks fall short

A breakdown of where ISO, NIST, and industry-specific frameworks leave AI-specific risk uncovered, and how fragmentation creates systemic blind spots in third-party risk programs.

The BK-GA³™ Framework: A structured, adaptive methodology

The full framework specification, including assessment domains, control categories, and the adaptive logic that keeps BK-GA³™ current as the AI threat landscape shifts.

Category Definitions: Actionable definitions for each AI risk domain

Clear, usable definitions for every category in the framework, designed to drop directly into a vendor evaluation workflow without further interpretation.

For Black Kite Customers: Operationalizing BK-GA³™ inside the platform

How Black Kite customers can run BK-GA³™ assessments inside the platform via AI questionnaire management or as one of their custom cyber assessment frameworks, turning a manual process into continuous, automated third-party AI risk evaluation.

How TPRM Teams Should Operationalize BK-GA³™

Replace your patchwork of AI questionnaires

Retire region- or industry-specific AI questionnaires and standardize on BK-GA³™ as your single source of truth for vendor AI risk. One framework, one set of definitions, one consistent assessment across every vendor.

Map existing assessments to ISO and NIST

Use BK-GA³™'s alignment to ISO and NIST to extend your existing compliance work rather than duplicate it. Vendors that have already passed ISO or NIST controls don't restart at zero, because BK-GA³™ layers on top of what you already have.

Surface AI control gaps systematically across your ecosystem

Apply the framework to every vendor in your ecosystem to identify where AI risk is being introduced without controls. Standardization makes gaps visible and comparable, not buried in vendor-by-vendor variation.

Automate BK-GA³™ assessments inside the Black Kite platform

Black Kite customers can run BK-GA³™ assessments inside the platform, turning a manual questionnaire process into continuous, automated third-party AI risk evaluation.

BK-GA³™ Methodology: How the Framework Was Built

Synthesized from 50+ established AI and cyber risk frameworks

Hundreds of unique requirements were extracted from more than 50 international AI and cyber risk assessment frameworks (including ISO, NIST, and the Shared Assessments SIG) and analyzed for overlap, gaps, and best-practice patterns.

Developed in consultation with Shared Assessments

BK-GA³™ was developed in consultation with Shared Assessments LLC, the member-driven leader in third-party risk assurance, and reflects input from industry bodies including the Third Party Risk Association (TPRA). The intent: complement existing standards, not compete with them.

Maintained by a dedicated BK-GA³™ working committee

A dedicated working committee maintains the framework on an ongoing basis, integrating new assurance standards and emerging AI threat patterns as they appear in the wild.

Continuously updated with OSINT and Black Kite Research Group intelligence

Open-source intelligence and original research from the Black Kite Research Group feed directly into framework updates, keeping BK-GA³™ aligned with the AI risks attackers are actively exploiting, not just the ones already codified into regulation.

Access the Complete BK-GA³™ Framework Now

[ READ THE INTERACTIVE FRAMEWORK (Free. No download required. Open standard for community use.)

Related Resources

• Understanding Agentic AI & Protocols: Use Cases, Variants, and Real-World Fit
• Black Kite Third-Party Breach Report 2026
• 2025 Ransomware Report: How Ransomware Wars Threaten Third-Party Cyber Ecosystems

Read the Report and Get the Free Framework