Harvard Business Review LogoJuly 9, 2026Andriy Onufriyenko/Getty ImagesEnterprises increasingly deploy AI systems they did not build, yet courts and regulators are holding them responsible when those tools discriminate, mishandle data, or harm customers. RecentIs your company’s outsourced AI technology leaving it vulnerable to unexpected risk? As enterprises increasingly embed third-party systems into their workflows, technological risk has led to new legal and operational responsibilities. Leaders may have little visibility into how a model was trained or how it changes, yet when it discriminates, mishandles data, or harms a customer, regulators and plaintiffs often look first to the company that deployed it.
You Outsourced the AI—but You Still Own the Risk
Enterprises increasingly deploy AI systems they did not build, yet courts and regulators are holding them responsible when those tools discriminate, mishandle data, or harm customers. Recent lawsuits against Peloton, iTutorGroup, Workday, Cigna, and others show that accountability tends to fall on the organization closest to the end user, not the model provider. To minimize risk, companies need to understand four under‑managed exposures: opacity in upstream models, liability triggered by customization, dependence on hard‑to‑replace vendors, and fragmented regulatory demands. To prevent risk, firms must be more proactive: hard‑wiring transparency into contracts, formally governing customization, designing for portability, and anchoring compliance in frameworks like NIST AI RMF or ISO/IEC 42001 to reduce risk and enable confident AI adoption.








