Third-Party AI Risk: Why Your Vendor's AI Problem Is Your Problem

Most enterprise AI risk sits in third-party software, not internally developed systems. When your ERP vendor adds AI features, when your HR platform uses AI for talent screening, when your customer service software deploys AI responses — you become responsible for governance outcomes you did not design.

AIRiskAware

Specialist AI Risk Governance & Compliance

The third-party AI problem most organisations are missing

When organisations think about AI governance, they typically think about AI they have built — models developed by their data science team, AI tools their technology team has integrated, AI capabilities they have explicitly decided to deploy. This is the visible AI footprint, and it represents a minority of most large organisations' actual AI exposure.

The invisible AI footprint — the AI embedded in third-party software, the AI features added to existing enterprise applications, the AI tools purchased by business units through expense accounts — is typically two to four times larger than the visible footprint in large organisations. And it is the part of the AI footprint where governance is most likely to be absent.

Consider the typical enterprise software stack. The HR platform uses AI for talent screening and performance analytics. The CRM uses AI for lead scoring and churn prediction. The finance system uses AI for anomaly detection and forecasting. The customer service platform uses AI for response generation and escalation routing. The email system uses AI for scheduling and drafting. The cybersecurity platform uses AI for threat detection. In a large organisation, this represents dozens of AI systems, affecting thousands of decisions, with governance that typically consists of the vendor's terms of service and whatever due diligence was conducted at the time of initial procurement — which predates the AI features in most cases.

The deployer obligation that cannot be contracted away

Under the EU AI Act, an organisation that uses a third-party AI system in its operations is the deployer of that system and has deployer obligations. These include: ensuring the AI is used within its intended purpose and the conditions established by the provider; implementing human oversight measures; ensuring appropriate monitoring of the AI's operation; and reporting serious incidents. Deployer obligations cannot be transferred to the AI provider through contract. The organisation deploying the AI is responsible for its governance, regardless of who built it.

Third-Party AI Risk: Why Your Vendor's AI Problem Is Your Problem

Key Takeaways

The third-party AI problem most organisations are missing

The deployer obligation that cannot be contracted away

Stay ahead of AI governance

Related articles

AI Model Risk Controls: Validation, Monitoring, and What Regulators Actually Expect

The CRO's Guide to AI Risk: Building a Framework That Satisfies Regulators and the Board

AI in UK Insurance: FCA Consumer Duty, PRA Expectations, and What Insurers Must Do Now

More from AIRiskAware