When assessing AI-related risk, do we include our vendors' use of AI? We don't have to reinvent the VRM wheel: we just have to consider some new factors. How in the world do we assess AI risk, and where do we start? We will discuss these questions, new tools, and creative approaches such as (and not limited to)the NIST AI RMF, ISO standards 23053 and 42001, contractual considerations, and legislation like the EU-AI Act to help reduce AI risk in the VRM process.