As artificial intelligence becomes embedded in third-party business operations, companies face a new and largely unexamined compliance challenge: when does a vendor’s use of AI become your legal or reputational problem? In this episode, Michael Volkov unpacks the critical agency principle distinction at the heart of third-party AI risk — explaining how acting third parties who deploy AI on a company’s behalf can create direct legal liability for the principal, drawing on the same legal framework that governs FCPA third-party liability, while incidental service providers who supply goods or services without acting on the company’s behalf present a different but equally serious reputational risk. Michael also examines what robust AI-focused third-party due diligence must include, how to build a risk-tiered compliance framework that allocates resources proportionately, and why reduced legal liability is never the same as reduced risk in an environment where vendor AI controversies generate brand association damage regardless of legal culpability.