AP-03 — Approved Provider List¶
Strategy Reference¶
- Section 8 — Data Classification & Provider Eligibility (Internal, Confidential, Restricted tiers)
- Section 10 — ROI & Stop Criteria
- Section 12, Phase 1 — Approved provider list ratified and communicated
Goal¶
By month 2, publish a ratified Approved Provider List that names each AI tool sanctioned for Feoda use, the data tiers it may handle, the contractual conditions in place (DPA, SSO, audit), the named owner, and the next review date.
The list is the single source of truth. Any AI tool not on the list is not approved.
Scope¶
In scope: - All AI providers used by Feoda employees for Feoda work — chat, coding, document, image, voice, agent platforms - All providers contemplated for use in the next 12 months
Out of scope: - Tools that incidentally include AI features but are not procured for AI capability (e.g. spam filters, search ranking)
Deliverables¶
- Approved Provider List document at
company/strategy/approved-providers.md - Per-provider record including: vendor, product/tier, data tiers permitted, DPA status, SSO status, audit-log mechanism, named owner, contract end date, next review date
- Provider-evaluation procedure — how new providers are added; required evidence; sign-off path
- Provider-removal procedure — how providers are removed and what migration applies
- Communication plan — how the list is announced; how exceptions are requested
Milestones¶
| Milestone | Target Month | Exit Criteria |
|---|---|---|
| Initial provider inventory completed | Month 1 | All currently-used tools catalogued |
| Per-provider evidence collected (DPA, SSO, audit) | Month 1 | Evidence file per provider |
| List ratified by Head of Technology | Month 2 | Document signed off; first version published |
| Communicated company-wide | Month 2 | Announcement issued; deadline for non-compliance set |
| First quarterly review | Month 5 | Review completed; deltas logged |
Dependencies¶
- None for the initial list
- Feeds AP-01 — Identity-Bound AI Access: only approved providers are bound to SSO
Risks & Mitigations¶
| Risk | Mitigation |
|---|---|
| Critical provider lacks DPA or enterprise tier | Negotiate, switch tier, or replace before approval |
| List becomes stale as new tools emerge | Quarterly review; lightweight provider-add procedure |
| Shadow IT undermines the list | Pair with AP-01 enforcement and AP-05 logging |
Success Measures¶
- Approved Provider List published and current
- 100% of provider entries have evidence on file (DPA, SSO, audit method)
- Quarterly review completion on time
- Zero confidentiality incidents traced to use of unapproved providers
Status Log¶
| Date | Status | Notes |
|---|---|---|
| 2026-04-22 | Not Started | Action plan created. Approved Provider List skeleton created at company/strategy/approved-providers.md. |