Back to Insights

    1 April 2026

    Third-Party AI Supplier Risk: What You Need to Check

    Most businesses don't build their own AI. They buy it. Here's how to assess whether your AI suppliers are creating compliance risk.

    SH

    Sam Hawkins

    Syntra Automate

    Most UK businesses do not build their own AI systems. They buy them — through SaaS platforms, embedded features in existing software, API integrations, and off-the-shelf tools from providers like OpenAI, Microsoft, Google, Anthropic, and dozens of smaller vendors.

    This creates a fundamental challenge: your compliance obligations do not disappear because someone else built the technology. Under the EU AI Act (Regulation (EU) 2024/1689), the UK GDPR, and general corporate governance principles, your organisation remains responsible for how AI is used in your business — even when the AI comes from a third party.

    If your suppliers are not governing AI properly, the risk lands on you. And most businesses have not assessed that risk at all.

    Why supplier risk matters

    You are dependent on their practices. When you use a third-party AI tool, your data flows through their infrastructure, their models, and their security controls. Their data handling practices, their training methodologies, and their terms of service directly affect your risk exposure.

    Regulatory liability sits with you. Under the EU AI Act, deployers of high-risk AI systems have their own obligations — regardless of whether they built the system. Article 26 sets out deployer obligations including using the system in accordance with instructions, ensuring human oversight, monitoring operation, and keeping logs. You cannot outsource accountability.

    Under the UK GDPR, if a supplier processes personal data on your behalf, you remain the data controller. You are responsible for ensuring adequate safeguards are in place.

    Terms change. AI providers regularly update their terms of service, data processing practices, and model capabilities. What was true when you signed the contract may not be true today. A supplier that committed to not using your data for training might change that policy. A tool that processed data in the UK might move processing to another jurisdiction.

    Concentration risk. Many organisations depend heavily on a small number of AI providers. If your critical business processes rely on one provider's API, a service disruption, a pricing change, or a terms-of-service amendment could have significant operational consequences.

    What to check: the supplier assessment framework

    When evaluating an AI supplier — whether during procurement or reviewing an existing relationship — here is what to examine.

    Data processing and storage

    - Where is data processed and stored? Identify the geographic locations. Data processed outside the UK or EU may raise transfer issues under the UK GDPR.

    - What data do they process? Understand exactly what data the supplier's AI system receives, processes, and retains. Map this against data sensitivity categories.

    - How long is data retained? Some providers retain input data for days, weeks, or indefinitely. Understand the retention period and your ability to request deletion.

    - Is data segregated? In multi-tenant AI services, is your data segregated from other customers' data? What controls prevent cross-contamination?

    Training data usage

    This is one of the most critical questions. Ask directly:

    - Does the supplier use your input data to train or improve their AI models? Many providers do, particularly on free or lower-tier plans. This means your confidential business data or customers' personal data could influence a model that serves millions of other users.

    - Can you opt out of training data usage? Some providers offer enterprise tiers with contractual commitments not to use customer data for training. Verify this is in your agreement, not just on a marketing page.

    - What data was used to train the model? While providers may not disclose full training datasets, understanding the general approach helps assess risks around bias, intellectual property, and accuracy.

    Security and certifications

    - What security certifications does the supplier hold? Look for ISO 27001, SOC 2 Type II, and Cyber Essentials Plus as minimum expectations for handling business data.

    - What encryption is in place? Data should be encrypted in transit and at rest.

    - How are access controls managed? Understand who at the supplier can access your data and under what circumstances.

    - What is their incident response process? How quickly will they notify you of a security breach? Is this contractually committed?

    Contractual protections

    - Is there a data processing agreement (DPA)? Required under the UK GDPR where the supplier processes personal data on your behalf. The DPA should cover processing purposes, security measures, sub-processor management, breach notification, and data subject rights.

    - What are the liability provisions? Does the contract include meaningful liability for data breaches, service failures, or compliance failures?

    - What happens to your data on termination? Can you export your data? Is it deleted? Within what timeframe?

    - How are terms changes handled? Does the supplier notify you of material changes to terms? Do you have the right to terminate if terms change unfavourably?

    EU AI Act compliance commitments

    The EU AI Act places specific obligations on AI providers — particularly for high-risk systems. Ask:

    - Does the supplier acknowledge EU AI Act obligations? For high-risk systems, providers have extensive obligations under the Act, including conformity assessments, technical documentation, and EU database registration.

    - Will the supplier provide the technical documentation you need as a deployer? Article 13 requires providers of high-risk systems to provide deployers with sufficient information to understand and use the system in compliance with the Act.

    - Does the supplier commit to supporting your compliance obligations? As a deployer, you need information from your provider to fulfil your own obligations — risk management, human oversight, monitoring.

    Business continuity

    - What is the supplier's uptime commitment? Review the SLA carefully.

    - What happens if the supplier ceases trading? For critical AI systems, this is a material risk. Consider whether you have access to alternative providers.

    - Can you switch providers? Assess the difficulty and cost of migrating to an alternative if the relationship ends.

    Specific questions to ask your AI suppliers

    Here are direct questions you should be putting to every AI supplier:

    1. Do you use our input data to train, fine-tune, or improve your AI models? If yes, can we opt out contractually?

    2. Where is our data processed and stored? In which jurisdictions?

    3. What happens to our data if we terminate the service?

    4. What security certifications do you hold, and when were they last audited?

    5. How will you notify us of a data breach, and within what timeframe?

    6. Who at your organisation can access our data?

    7. What sub-processors do you use, and how do you manage sub-processor risk?

    8. How do you handle changes to your terms of service or data processing practices?

    9. What information can you provide to support our EU AI Act compliance obligations?

    10. What measures do you take to ensure your AI outputs are accurate and free from harmful bias?

    If a supplier cannot or will not answer these questions clearly, that is a red flag.

    What good supplier documentation looks like

    A well-governed AI supplier should be able to provide:

    - A clear, detailed data processing agreement

    - A transparency report or system card explaining how the AI works, its intended use, known limitations, and risk considerations

    - Current security certifications (ISO 27001, SOC 2)

    - A published privacy policy that specifically addresses AI data processing

    - A sub-processor list that is kept current

    - Clear guidance on how to configure the tool for compliance (such as disabling training data usage)

    - Documented incident response procedures and notification commitments

    If a supplier provides all of this proactively, they are likely taking governance seriously. If you have to chase for it, proceed with caution.

    Red flags to watch for

    Be wary of suppliers who:

    - Cannot confirm where data is processed. Geographic uncertainty means compliance uncertainty.

    - Use vague language about training data. "We may use data to improve our services" could mean anything. Insist on specificity.

    - Lack recognised security certifications. For any tool processing business or personal data, ISO 27001 or SOC 2 should be table stakes.

    - Resist signing a data processing agreement. If a supplier will not commit contractually to data protection, do not give them your data.

    - Change terms frequently without clear notice. A supplier that regularly shifts the goalposts creates ongoing compliance risk.

    - Have no published AI ethics or governance commitments. While not a regulatory requirement, the absence of any stated principles suggests governance maturity is low.

    - Offer no enterprise tier with enhanced data controls. If the only option is a consumer-grade service with no contractual protections, it is not suitable for business use with sensitive data.

    How to build a supplier assessment process

    For ongoing supplier risk management:

    1. Create a standard assessment questionnaire based on the questions above. Apply it consistently to every AI supplier.

    2. Assess at procurement. No AI tool should enter the organisation without completing the assessment.

    3. Review annually. Supplier risk is not static. Terms change, certifications lapse, and new risks emerge. Build annual reviews into your governance cycle.

    4. Maintain a supplier register. Record each AI supplier, their assessment results, key contractual terms, and review dates. Link this to your AI risk register.

    5. Escalate concerns. If a supplier assessment reveals material risks, escalate to leadership. Do not let procurement pressure override compliance concerns.

    The bottom line

    Your AI governance is only as strong as your weakest supplier. Most organisations depend on third-party AI — and most have not assessed whether those suppliers are creating compliance, security, or operational risk.

    The EU AI Act's high-risk obligations arrive on 2 August 2026, with fines of up to EUR 35 million or 7% of worldwide annual turnover. Your suppliers' practices are part of your compliance picture.

    Ask the hard questions. Check the documentation. Build supplier assessment into your governance process. The alternative — trusting blindly — is not a strategy a regulator will accept.

    Want to know where your business stands?

    Request a free AI audit. Personally reviewed, delivered to your inbox within 5 business days.

    Get a free AI audit