Last week we examined the agency principle in third-party AI risk — the situations where a third party acts on your behalf and its AI-related misconduct can be legally attributed to your company. This week, we turn to the other side of the framework: what happens when a third party provides incidental goods or services and does not act on your behalf?

The short answer is that your legal exposure is significantly reduced. But do not mistake reduced legal liability for reduced risk. In these situations, reputational risk steps in where legal liability steps back — and in today’s environment, reputational damage can be just as devastating as a regulatory enforcement action.

Incidental Service Providers — The Legal Analysis

When a third party provides goods or services that are incidental to your core business operations — an office supply vendor, a facilities management company, a cloud infrastructure provider, a catering service — that vendor is not acting on your behalf in any meaningful legal sense. They are selling you something. The agency relationship that creates vicarious liability does not exist.

If that vendor deploys AI poorly — using biased algorithms in its internal hiring, generating inaccurate outputs in its own operations, or mishandling data in ways that affect its own customers — your company generally does not inherit that legal liability. You are a customer of their services, not the principal authorizing their conduct.

This is an important distinction for compliance officers who are trying to scope their AI risk programs. Not every vendor relationship requires the same depth of AI-focused due diligence. Prioritization matters.

But Reputational Risk Is Real

Here is where many companies make a critical error. They conclude that because legal liability is limited, the risk is limited. That is wrong.

Reputational risk does not follow legal doctrine. It follows public perception.

Consider several scenarios that are not hypothetical. A major consumer brand’s packaging supplier is exposed for deploying AI tools that engaged in systematic racial discrimination in its hiring practices. A healthcare company’s facilities vendor is revealed to have used AI-generated outputs in ways that violated patient privacy — even if that data never touched the healthcare company’s systems. A financial institution’s office technology provider is found to have embedded AI tools that were trained on improperly obtained data.

In each of these cases, the principal company faces no direct legal liability. But the association — the fact that your name appears alongside a vendor embroiled in an AI ethics scandal — creates reputational exposure that can damage customer trust, employee confidence, investor relations, and regulatory goodwill.

A Risk-Tiered Approach to Vendor AI Assessment

The practical compliance response is a tiered approach that aligns the depth of AI risk assessment with the nature and visibility of the vendor relationship.

For acting third parties — agents, representatives, and service providers who perform functions on your behalf — deep AI due diligence is both a legal and compliance necessity.

For incidental service providers, full legal due diligence may not be required, but a baseline assessment of significant AI-related reputational risks is prudent. Key questions include:

• Is this vendor in a sector or jurisdiction that is attracting significant AI ethics scrutiny?
• Does the vendor interact with our employees, customers, or data in any meaningful way?
• Would a significant AI-related controversy involving this vendor generate media association with our brand?
• Does our ESG or sustainability reporting create implicit accountability for vendor AI practices?

Building a Proportionate Program

The goal is not to create an unmanageable compliance burden by treating every vendor as a potential AI liability. The goal is to build a proportionate, risk-tiered program that directs compliance resources where they matter most — while maintaining a baseline awareness of reputational exposure even in lower-risk vendor relationships.

The companies that will navigate the AI third-party risk landscape most effectively are those that build this framework now — before an association with a vendor AI controversy forces a reactive response under media and regulatory pressure. Third-party AI risk is not a single category of exposure. It is a spectrum. Understanding where each vendor sits on that spectrum is the first and most important step