HM Treasury's move to designate AI providers as UK critical third parties, a German court ruling that made a chatbot's words the company's legal liability, and the Character.AI/Google settlement all show the same pattern: vendor AI risk is now the deploying organisation's problem, not the vendor's. Here's what boards and risk teams need to check before the next case names them instead.
Deloitte's $290,000 government report scandal, AICD's warning on AI vendor concentration risk, and the UK's new Critical Third Parties regime all expose the same gap: accountability for AI-enabled outcomes can't be outsourced to the vendor that built the tool. Here's what risk and governance teams should check before relying on vendor AI assurances.
Third-party vendors increasingly embed AI into their services, yet many organisations rely too heavily on vendor assurances without independent verification. Effective AI risk management demands clear ownership, thorough evidence review, and ongoing oversight to meet governance and regulatory expectations.