HomeArtificial Intelligence (AI)

Artificial Intelligence (AI)

Third-Party AI Dependency Requires Rigorous Risk Management

HM Treasury's move to designate AI providers as UK critical third parties, a German court ruling that made a chatbot's words the company's legal liability, and the Character.AI/Google settlement all show the same pattern: vendor AI risk is now the deploying organisation's problem, not the vendor's. Here's what boards and risk teams need to check before the next case names them instead.

Integrate AI Vendor Change Controls to Prevent Sudden Disruption

When Replit's AI coding agent deleted a live production database mid-project in July 2025, it exposed a gap most vendor risk frameworks miss: ongoing change monitoring, not just onboarding checks. NIST's GOVERN 6.2 and ISACA's 2025 incident review both point to the same fix — treat vendor AI oversight as a standing control, not a one-time sign-off.

AI Risk Management Must Be Business-Led Ownership to Unlock Value and Control

Grant Thornton's 2026 AI Impact Survey, Forrester and MIT research on failed AI pilots, and the EU AI Act's Article 26 deployer obligations all point to the same gap: boards are funding AI faster than they are assigning who owns it. Here's why business-led ownership, not another control layer, is what actually makes AI risk management work.

Why Over-Reliance on Vendor AI Assurances Puts Your Organisation at Risk

Deloitte's $290,000 government report scandal, AICD's warning on AI vendor concentration risk, and the UK's new Critical Third Parties regime all expose the same gap: accountability for AI-enabled outcomes can't be outsourced to the vendor that built the tool. Here's what risk and governance teams should check before relying on vendor AI assurances.

Why AI Risk Management Must Treat Ethical Conduct as a Business Imperative, Not Just a Compliance Box

A federal court ruling against Workday in the Mobley v. Workday case, a Fair Credit Reporting Act class action against Eightfold AI, and new Fortune 100 board-oversight data all point the same way: ethical AI conduct is now a liability and governance issue, not a values statement. This post sets out what risk and governance teams should be asking right now.

Why AI Risk Management Must Move Beyond Traditional Model Risk Frameworks

APRA and ASIC both issued 2026 letters to industry warning that AI governance hasn't kept pace with adoption, flagging vendor concentration risk and director accountability gaps. ASIC's enforcement action against FIIG shows what inadequate controls cost in practice. This post sets out what to ask your organisation before a regulator asks first.