この記事は現在英語でのみご利用いただけます。
Third-Party AI Risk: Why Your Vendor's AI Problem Is Your Problem
Most enterprise AI risk sits in third-party software, not internally developed systems. When your ERP vendor adds AI features, when your HR platform uses AI for talent screening, when your customer service software deploys AI responses — you become responsible for governance outcomes you did not design.
Key Takeaways
The majority of enterprise AI exposure is in third-party software — AI features added to existing enterprise applications, AI APIs embedded in workflows, and dedicated AI tools purchased by business units without central oversight.
Under the EU AI Act, the organisation that deploys AI — even AI developed and maintained entirely by a third party — is the deployer with deployer obligations. You cannot contract away your regulatory obligations by pointing at the vendor.
Most enterprise software contracts do not contain adequate AI governance provisions — they address data processing under GDPR but do not address AI-specific obligations including model drift notification, bias testing, and incident reporting.
The shadow AI problem: business units purchase and deploy AI tools through software procurement processes that bypass technology governance. The AI footprint in most large organisations is 2-4x larger than IT believes.
A practical third-party AI risk management programme: discovery, classification, contract remediation, and ongoing monitoring — the framework that transforms unknown AI exposure into managed risk.
"情報提供のみを目的としています。この記事は法律、規制、財務または専門的なアドバイスを構成するものではありません。具体的なアドバイスについては、資格を持つ専門家にご相談ください。"
The third-party AI problem most organisations are missing
When organisations think about AI governance, they typically think about AI they have built — models developed by their data science team, AI tools their technology team has integrated, AI capabilities they have explicitly decided to deploy. This is the visible AI footprint, and it represents a minority of most large organisations' actual AI exposure.
The invisible AI footprint — the AI embedded in third-party software, the AI features added to existing enterprise applications, the AI tools purchased by business units through expense accounts — is typically two to four times larger than the visible footprint in large organisations. And it is the part of the AI footprint where governance is most likely to be absent.
Consider the typical enterprise software stack. The HR platform uses AI for talent screening and performance analytics. The CRM uses AI for lead scoring and churn prediction. The finance system uses AI for anomaly detection and forecasting. The customer service platform uses AI for response generation and escalation routing. The email system uses AI for scheduling and drafting. The cybersecurity platform uses AI for threat detection. In a large organisation, this represents dozens of AI systems, affecting thousands of decisions, with governance that typically consists of the vendor's terms of service and whatever due diligence was conducted at the time of initial procurement — which predates the AI features in most cases.
The deployer obligation that cannot be contracted away
Under the EU AI Act, an organisation that uses a third-party AI system in its operations is the deployer of that system and has deployer obligations. These include: ensuring the AI is used within its intended purpose and the conditions established by the provider; implementing human oversight measures; ensuring appropriate monitoring of the AI's operation; and reporting serious incidents. Deployer obligations cannot be transferred to the AI provider through contract. The organisation deploying the AI is responsible for its governance, regardless of who built it.