The rapid integration of artificial intelligence into business operations has created a new and largely uncharted compliance frontier. Companies are scrambling to assess AI risks within their own operations, but many are overlooking an equally important question: what happens when your third parties use AI?

The answer depends on a legal distinction that compliance professionals already know well from the Foreign Corrupt Practices Act and similar laws — but that takes on new dimensions in the AI context. The critical question is whether the third party is acting on your behalf or simply providing goods and services to you.

Getting this distinction right is essential. Get it wrong, and your AI risk assessment is built on a faulty foundation.

The Agency Principle — Old Law, New Application

The foundational principle here is not new. Under the FCPA and similar anti-bribery statutes, a company faces criminal liability when a third party — an agent, distributor, or consultant — pays bribes to government officials on the company’s behalf. The third party’s conduct is legally attributed to the principal company because the third party was acting as its agent.

The same agency logic applies to AI.

When a third party acts on your behalf — executing your business strategy, managing your customer relationships, representing your interests, or performing functions you would otherwise perform yourself — that third party’s use of AI becomes part of your risk profile. If the third party deploys AI-driven tools that engage in discriminatory decision-making, generate false outputs that harm customers, violate privacy regulations, or facilitate fraud, the principal company cannot simply point to its vendor agreement and walk away.

You authorized the relationship. The third party acted on your behalf. The liability follows.

Who Falls Into This Category?

Companies need to think carefully about which third-party relationships involve acting on their behalf. Common examples include:

• Sales agents and distributors who represent your products and your brand to customers
• Customer service outsourcing providers who interact with your customers in your name
• Recruitment process outsourcers who screen, assess, and filter job candidates on your behalf
• Financial services intermediaries who process transactions or make decisions affecting your customers
• Marketing agencies that generate content and communications attributed to your company
• Compliance and due diligence providers whose outputs inform your legal obligations

In each of these relationships, AI embedded in the third party’s operations can generate legal exposure for your company — from employment discrimination claims to consumer protection violations to regulatory enforcement actions.

What Due Diligence Must Cover

The compliance implication is direct. Third-party due diligence programs must now include specific AI risk components for vendors who act on your behalf. That means asking:

• What AI tools does this third party deploy in performing services for us?
• How are those AI tools trained, tested, and monitored for accuracy and bias?
• What human oversight exists over AI-generated outputs?
• Does the third party’s AI use comply with applicable laws — including employment, privacy, and consumer protection frameworks?
• What contractual representations and audit rights protect us if AI-related misconduct occurs?

These are not theoretical questions. Regulators across employment, financial services, privacy, and consumer protection domains are actively developing AI accountability frameworks. Companies that have not extended their due diligence programs into the AI practices of their agents and acting third parties are carrying unquantified legal exposure.

Conclusion

The agency principle has governed third-party compliance liability for decades. AI does not change the principle — it dramatically expands the surface area where that principle applies.

When your third party acts on your behalf and deploys AI to do it, that AI is effectively operating in your name. Your due diligence program, your contracts, and your monitoring systems need to reflect that reality.

Next week, we will examine the flip side of this framework — situations where third parties provide incidental goods or services and their AI use does not create legal liability for you, but can still create serious reputational exposure.