The Third-Party AI Risk Conversation Has Changed – Here’s What I’m Seeing in the Market
By Nathan Hopkins, Chief Revenue Officer, The Escrow Company
Over the past eighteen months, I’ve spent a considerable amount of time speaking with enterprise organisations, software vendors, procurement teams, lawyers, operational resilience professionals, and technology leaders about artificial intelligence.
One thing has become increasingly clear. The conversation around AI has changed.
Organisations had previously been searching for answers around capability. They wanted to understand what AI could do, how quickly it could be be deployed, and where it could create value.
Today, the conversations are noticeably different.
The questions I’m hearing are no longer:
“Can AI improve our business?”
They’re asking:
“What happens if this AI supplier fails?”
“How do we recover if the platform disappears?”
“What exactly are we becoming dependent upon?”
For me, that’s one of the clearest signs that the AI market is maturing.
Organisations aren’t becoming less interested in AI.
They’re becoming more realistic about the risks that come with it.
We’ve Been Here Before…
This isn’t the first time technology has fundamentally changed the way organisations think about third-party risk.
Twenty years ago, most enterprise software lived inside the organisation’s own data centre.
If something went wrong, the software, servers, and databases were generally under the customer’s control. Business continuity focused on hardware resilience, internal IT teams, and ensuring support contracts remained in place.
Cloud computing changed that completely.
Applications moved into supplier-managed environments.
Businesses gained flexibility, scalability, and significantly lower infrastructure costs, but they also accepted a new risk. If the supplier experienced a major outage, suffered insolvency, or simply stopped supporting the product, the customer had far less control than they had previously enjoyed.
Conversations around SaaS continuity, exit planning, and supplier resilience changed.
Artificial intelligence represents another major shift.
Only this time, the dependency isn’t simply on software.
Today’s AI applications are often built upon a complex chain of technologies that may include foundation models, cloud providers, training datasets, prompt libraries, orchestration platforms, APIs, model weights, and third-party AI services.
The technology stack has become significantly more complicated.
Unfortunately, so has the risk.
The Risk Profile Has Changed
With traditional software, continuity usually centred around source code, documentation, and deployment processes.
Modern AI solutions introduce entirely new dependencies.
What happens if the underlying model provider changes pricing?
What happens if the vendor switches foundation models?
Who owns the fine-tuned model?
Can the training data be recovered?
Can the solution still operate if one of several interconnected AI services becomes unavailable?
These aren’t hypothetical legal questions anymore.
They’re increasingly appearing in procurement meetings, supplier due diligence exercises, and board-level discussions.
Innovation Doesn’t Remove Commercial Risk
One misconception I have encountered is that successful AI companies are somehow less exposed to business risk because of the enormous investment flowing into the sector.
History tells us otherwise.
One example I regularly reference is Argo AI.
Founded in 2016, Argo AI rapidly became one of the world’s best-funded autonomous vehicle companies. Supported by Ford and Volkswagen, it developed sophisticated perception models, prediction systems, mapping technology, and cloud-based simulation environments that became central to numerous autonomous driving programmes.
Then, in October 2022, everything changed. Ford and Volkswagen withdrew funding.
Argo AI shut down.
Almost overnight, customers and partners lost access to cloud-hosted AI models, mapping platforms, simulation environments, engineering expertise, and development roadmaps. Ford subsequently announced a $2.7 billion impairment, while autonomous vehicle programmes were delayed or cancelled entirely.
The lesson wasn’t simply that an AI company failed.
It was that organisations had become dependent on a sensitive and rapidly evolving technology ecosystem more than many had fully appreciated, one where not everyone can win.
Failure Isn’t Always Insolvency
Another trend I’m seeing is organisations expanding their thinking beyond financial issues.
Historically, supplier continuity planning focused heavily on insolvency.
That’s still important.
But AI introduces additional scenarios that can have exactly the same operational impact.
With the rate of innovation and political pressures, strategic priorities can change, products can be discontinued, and partnerships can end.
Entire product lines can disappear despite the supplier remaining financially healthy.
One example from earlier this year, discussed during a recent presentation, involved OpenAI’s decision to discontinue its AI video-generation application, Sora, while simultaneously winding down a significant content partnership with Disney as strategic priorities evolved.
Whether organisations agree with those strategic decisions is almost irrelevant.
The important point is this:
Customers building new commercial initiatives or integrating solutions into critical business processes, and relying on those technologies, can suddenly find themselves reassessing their plans through no fault of their own.
Supplier risk is no longer just about financial failure.
It’s also about strategic change.
Regulators Are Also Changing the Conversation
At the same time, regulators are placing far greater emphasis on operational resilience than they were only a few years ago.
Whether organisations operate under DORA, the EU AI Act, APRA CPS230, the PRA’s operational resilience framework, NIS2, or similar guidance elsewhere in the world, a common theme is emerging.
Responsibility is shifting.
Increasingly, regulators expect organisations themselves to understand their critical suppliers, assess technology dependencies, and maintain credible exit and recovery strategies.
The responsibility no longer sits solely with the software vendor.
It sits with the organisation choosing to adopt that technology.
That’s a subtle but significant shift.
What the Best Organisations Are Doing Differently
The organisations managing AI most effectively aren’t slowing innovation.
If anything, they’re accelerating it.
The difference is that they’re putting stronger governance around adoption.
They’re identifying which AI suppliers are genuinely business-critical.
They’re understanding where models, data, and infrastructure originate.
They’re documenting dependencies.
They’re developing and testing stressed exit plans rather than assuming suppliers will always remain available.
Most importantly, they’re recognising that continuity planning now extends well beyond source code and service availability.
Modern AI applications often require organisations to consider deployment environments, cloud infrastructure, model weights, prompt libraries, training workflows, documentation, and operational processes if meaningful continuity of service is ever going to be achieved.
Continuity Solutions Are Evolving Too
This changing landscape is also driving changes in how continuity solutions are designed.
Traditional Software Escrow remains an important safeguard for many organisations seeking to minimise risk with third-party solutions.
However, cloud-hosted AI platforms frequently require broader consideration.
Depending on the architecture involved, organisations may also require SaaS Escrow, Recovery Escrow, Access Continuity, or Managed SaaS Continuity arrangements that extend beyond software source code to include deployment materials, cloud environments, databases, AI assets, and verification services.
Increasingly, continuity isn’t about protecting a single software application.
It’s about protecting an entire operational ecosystem.
Where I Think the Market Is Heading
If there’s one consistent trend I’ve noticed over the last year, it’s that organisations are significantly more sophisticated in how they assess AI suppliers.
They’re asking better questions around dependencies and putting sophisticated recovery plans in place.
They’re involving legal teams earlier.
They’re engaging operational resilience specialists much sooner.
And they’re recognising that supplier risk should be considered before an AI platform becomes embedded within critical business processes rather than afterwards.
In many ways, that’s a healthy development, perhaps because of the time it took for compliance, risk, and technology departments to catch up with the demands placed on them following hyperscale cloud and SaaS adoption, particularly when considering the shared responsibility model promoted by the major cloud vendors.
AI offers extraordinary opportunities.
Like every significant technology shift before it, successful adoption depends on understanding not only what the technology can do, but also what happens if it unexpectedly changes, disappears, or can no longer be supported.
The organisations that will gain the greatest long-term value from AI won’t necessarily be those that adopt it the fastest.
They’ll be the organisations that combine innovation with good governance, robust supplier management, and practical continuity planning.
From the conversations I’m having across the market, that’s exactly where enterprise AI adoption is heading.