AI Risk Sits Inside the Services You Procure

The recent ABC reporting on VIQ Solutions is a useful case study for any organisation thinking about AI governance, data risk and third-party services.

30 Second Take

The issue is not only about one supplier.

It is about visibility. And it is just as relevant for government and non-government entities alike.

Multiple government agencies had used VIQ Solutions for transcription-related services, including agencies dealing with sensitive legal, tax, defence and public service matters. This includes concerns about sensitive court files being accessed offshore through a transcription service arrangement, with key questions being asked about privacy, confidentiality, national security and supplier oversight.

This is exactly the kind of scenario all organisations need to pay attention to and be asking the really hard questions of management of their ability to know their AI governance controls/protocols and risk assessment process.

“Overall, this issue demonstrates there’s a weakness in our processes and protocols … How can one company so expose all these departments to a security risk?”

The risk is not always obvious

Not every service is an AI governance issue.

But modern services increasingly contain technology, automation, analytics or AI-enabled capability that may not be obvious to the organisation buying the service.

This risk does not only apply to government. It applies to corporates, universities, insurers, health providers, professional services firms, not-for-profits and medium-sized enterprises.

AI and automation can sit inside vendor platforms, outsourced processes, document workflows, recruitment systems, customer service tools, cyber tools, analytics platforms and employee productivity applications.

The organisation may not have built the tool. But it may still be relying on it.

Too often I have heard senior people within organisations talk about embracing AI, and that others are doing it without a problem.

Very often this takes the form of language of:

  • Why are we setting the bar so high, they are already using it elsewhere
  • I seem the only one tying to make this happen
  • “It seems like we are trying to find a way to say ‘no'”

This type of sentiment does not come with any evidence of the AI governance, just observational comments.

The real governance question

The key governance question is no longer:

“Are we building AI?”

The better question is:

“Where are we or will be rely on AI, automation or data-processing technology — directly or through a third party?”

That distinction matters.

Accountability does not disappear when a service is outsourced:

  • If sensitive information is processed offshore, the organisation still has a governance issue.
  • If a vendor uses AI or automated processing, the organisation still needs to understand the risk.
  • If data is accessed by subcontractors, the organisation still needs assurance.
  • If customers, citizens, employees, legal matters or business-critical decisions are affected, the organisation still needs evidence that controls are working.

Where organisations are exposed

This is where many organisations may be weaker than they realise, relying on traditional policies and processes and not recognising AI is different, such as:

  • Procurement processes, but not AI-specific questions.
  • Privacy policies, but not a clear AI posture and inventory.
  • Vendor contracts, but limited visibility of subcontractors, data flows or automated processing, or specific AI terms and conditions.
  • Risk framework, but no consistent way to assess AI-enabled services before they become embedded in operations.

AI governance has to reach beyond policy documents and technology approvals.

It needs to connect procurement, privacy, cyber security, legal, risk, operations, data governance, business ownership and assurance.

Two assessments are needed

Organisations need to assess AI risk at two levels.

First, they need to assess their organisation-wide AI governance maturity.

This means looking at leadership, accountability, policy, inventory, data governance, privacy, cyber security, third-party management, training, monitoring and assurance.

Second, they need to assess each AI initiative or AI-enabled service.

This means understanding the purpose, data, users, affected stakeholders, level of automation, human oversight, vendor reliance, compliance obligations and potential impact if something goes wrong.

Both views matter.

A mature organisation can still approve a poorly controlled AI use case.

The questions leaders should be asking

A practical AI governance approach should help leaders answer simple questions:

  • Where is AI, automation or advanced data processing being used?
  • What data is involved?
  • Who can access it?
  • Where is it stored or processed?
  • Are third parties or subcontractors involved?
  • What decisions, services or records does it support?
  • What could go wrong?
  • Who is accountable?
  • What evidence shows the risk is being managed?

These questions should not wait until after a problem appears.

They should be built into governance, procurement, project approval, vendor management, risk assessment and assurance.

Lesson for every organisation

The VIQ Solutions case is a reminder that AI and technology risk may not arrive through a major transformation program.

It may already be sitting inside a service your organisation uses every day.

The lesson is simple.

Do not only assess the AI tools you build. Assess the services you use, the vendors you rely on, the data flows you create, and the maturity of the whole organisation to govern AI and technology-enabled risk.

Because in modern organisations, AI risk is not always visible at the surface.

Good governance starts by knowing where to look.

Free 3–5 minute AI diagnostic

Know where your AI governance stands in five minutes.

Use a short diagnostic to test practical AI governance, oversight and risk controls. Get an immediate visual result and suggested next focus areas.

Practical tools for boards, executives, auditors and risk professionals.

10 questions Visual result Local browser storage
Learn more Visit reading room
Privacy note: your individual results are not stored by Innovation of Risk. Results stay in your browser; we only track aggregate usage such as page views and average score once you leave our page.

More from the Reading Room

Using AI Risk Management to Accelerate Innovation

New Diligent Institute / Governance Institute of Australia data shows 61% of Australian boards restrict employee AI use while only 13% have an AI-literate director — proof that restriction and real governance are pulling apart. NIST's expanding AI Risk Management Framework and the EU AI Act's 2 August 2026 third-party accountability deadline show how structured, evidence-based workflows are what actually let AI adoption move faster, safely.

The Qantas privacy finding: a positive lesson in third-party oversight

A serious data breach does not automatically mean governance failed. The more important question is whether an organisation can demonstrate that it understood the risks,...

APRA’s CPS 230 Tweaks: Small Amendment, Big Governance Signal

APRA has released final targeted amendments to CPS 230 Operational Risk Management. The item is current and sits within APRA’s prudential framework, so boards and risk teams should treat it as a live governance and…

AI Agents and Non-Human Identity Risk

When a single ungoverned AI tool gave attackers a path from a Vercel employee’s device into Vercel’s internal systems, and a poisoned VS Code extension let attackers pull roughly 3,800 repositories out of GitHub, the common thread wasn’t a coding flaw — it was an unmanaged non-human identity. With AI agents now driving machine identities to roughly 109 per human inside the average enterprise (CyberArk, 2026), most governance frameworks still treat identity as a human-only problem.