Not long ago, the conversation about AI in companies focused mainly on capabilities.
- How do we speed up work?
- How do we write better content?
- How do we automate tasks?
- How do we analyse documents faster than before?
- How do we increase teams' productivity?
Today it's increasingly clear that one more question has to be added to that conversation:
what happens if the AI tool our work is starting to depend on is suddenly restricted, blocked or caught up in a regulatory dispute?
This is not an abstract scenario. In recent months the AI market has increasingly shown that the largest models do not operate in a vacuum. They are part of a world of regulation, security, geopolitical tension, intellectual property, export policy and disputes between the biggest technology players.
A good example is the reporting around Anthropic, the Claude models and the Fable and Mythos models.
AI as a business tool and a security factor
According to media reports, the US administration held talks with Anthropic following tensions over access to selected models. In the background were questions of security, the potential use of advanced models and access restrictions.
In parallel, Reuters reported Anthropic's allegations against Alibaba concerning the unauthorised extraction of Claude's capabilities through mass interaction with the system and so-called distillation, that is, an attempt to reproduce the model's abilities based on its answers.
Regardless of the details of these specific cases, an important conclusion follows for business: AI has stopped being merely a convenient tool for office work. The most advanced models have become infrastructure of strategic importance.
And if so, companies using AI must start thinking not only about what a given tool can do, but also about where it comes from, on what terms it operates and what risks come with using it.
An AI vendor is not just a line on an invoice
In many companies, choosing an AI tool happens very simply: someone tests a solution, the tool works well, the team starts using it, and only later does the company realise it has become part of its daily processes.
This is understandable. AI is easy to launch, often available on a subscription model and doesn't require a classic IT deployment. That's exactly why it enters organisations so quickly.
The problem is that an AI vendor is not an ordinary supplier of a note-taking or text-editing app.
An AI tool may process client content, documents, employee data, confidential information, code, strategies, proposals, contracts, recordings, transcripts, reports and operational data. It may support decisions, influence client communication, create sales materials, analyse documentation or suggest actions to employees.
In practice, an AI vendor can become part of the company's chain of accountability.
And that is exactly why it should be assessed deliberately.
The risk doesn't end with the model's wrong answer
When companies think about AI risk, they most often think about hallucinations, wrong answers or data exposure. This is important, but an incomplete view.
AI vendor risk is broader.
It may concern where data is processed, whether the vendor uses client data to train models, what the privacy settings are, how access security works, whether the company can audit, how changes to the model are documented and what happens in the event of an incident.
It may also concern the stability of access. If a tool is restricted, changes its terms of use, withdraws a feature, raises prices, blocks a model or becomes subject to restrictions, a company can suddenly lose part of a process that employees genuinely relied on every day.
This is especially important when an organisation has no alternative, no register of tools and doesn't even know in which processes a given solution is used.
Then the vendor's problem quickly becomes the company's problem.
Vendor risk in AI: questions companies long failed to ask
With classic IT systems, companies have long asked about security, SLAs, data location, GDPR compliance, backups, continuity and the vendor's liability.
With AI, these questions often disappeared.
Tools entered companies faster than procurement procedures. Some appeared from the bottom up, through individual employee accounts. Some were added as a new feature to systems the company already had. Some were tested without a formal decision, because "it's only a pilot."
Except a pilot very easily becomes a standard way of working.
That is why companies should start treating AI vendors as seriously as other key technology suppliers.
This isn't about blocking innovation. It's about basic control: do we know what we use, who the vendor is, what data goes into the tool, what rules apply and what we'll do if access to the solution is restricted.
The AI Act and accountability in the value chain
The AI Act introduces different roles and obligations for entities in the AI value chain. Providers of AI systems may have different obligations than importers, distributors, deployers or providers of general-purpose models.
For many companies, the most important role will be that of a professional user, that is, an organisation that uses AI systems in its activities.
This means a company cannot automatically shift all responsibility onto the vendor.
The vendor should provide appropriate information, documentation, terms of use, safeguards and support. But the organisation is still responsible for how it uses the tool, in which process, on what data and with what impact on people.
That is why choosing an AI vendor should not be solely a purchasing decision. It should be part of risk management.
A register of AI tools as a starting point
You can't assess AI vendor risk if a company doesn't know which tools it uses.
This sounds trivial, but in practice it is one of the biggest problems.
In many organisations the official list of AI tools is shorter than the actual list of solutions in use. Employees use free accounts, trial versions, extensions, generators, assistants built into apps and tools that have undergone no assessment.
That is why the first step should be an AI register.
Not as a bureaucratic table for its own sake, but as a map of dependencies: which tool, which vendor, which department, which purpose, which data, which risk level, who is responsible and what the organisation's decision is.
Only then can you talk about an AI policy, training, acceptances, usage rules and vendor assessment.
Without a register, a company isn't managing AI. It is merely assuming everything is under control.
What should interest a company when choosing an AI tool?
When assessing an AI vendor, it's worth going beyond the question of whether the tool is convenient and effective.
A company should understand what happens to the data, whether the vendor uses it to train models, where it is processed, what the privacy settings are, how data can be deleted, what safeguards the vendor applies and whether the tool is suitable for a specific process.
Limitations matter too. Not every AI tool should be used to work with client documents, personal data, HR processes, legal analysis, financial information or content that requires particular accuracy.
A company should also know what will happen if the service terms change, in the event of an outage, a model restriction, a legal dispute, a change in the vendor's policy or a sudden withdrawal of a feature.
For an organisation that uses AI only as an aid, this may be an inconvenience. For an organisation that has based part of a process on AI, it may be a real operational risk.
The lesson from Anthropic: advanced AI is a high-tension market
The cases around Anthropic, Claude, Fable, Mythos and the allegations concerning Alibaba show one thing: the AI market is not a calm market for office software.
It is a space where business interests, national security, export controls, intellectual property, cybersecurity risk and enormous technological competition meet.
Companies that use AI don't have to follow every dispute between technology giants. But they should understand the trend.
The more AI enters business processes, the more important the question of vendors, continuity and control over data becomes.
This is not a topic for the IT department alone. It is a topic for the board, compliance, the legal department, HR, sales, marketing and every area that uses AI to work with data or decisions.
Where does AI TrustCERT help?
AI TrustCERT helps tackle this problem from the ground up.
Instead of starting with an abstract debate about AI risk, it lets a company ask concrete questions: which tools do we use, who uses them, in which processes, what data is processed, do employees know the rules and do we have evidence that the organisation has addressed this topic.
This matters, because assessing AI vendors makes no sense if a company doesn't know its own use of AI.
AI TrustCERT supports building basic readiness: a register of tools, usage rules, training, acceptances, risk identification and a readiness report.
As a result, an organisation can move from accidental AI use to deliberate management of tools and vendors.
The point isn't to fear every AI solution.
The point is to know what the company is really starting to depend on.
Summary
AI in a company is not just functionality. It is also the vendor, the data, security, continuity and accountability.
The high-profile cases around the largest models show that access to AI can be the subject of disputes, restrictions and decisions made far beyond a company that simply wanted to improve its daily work.
That is why organisations should start with the basics: check which AI tools they use, who provides them, what data goes into them and what will happen if the tool stops being available.
The biggest risk isn't always that AI makes a mistake.
Sometimes it's that the company doesn't know how much it already depends on it.
Sources
- Wired reported on the US administration's talks with Anthropic concerning the Fable 5 and Mythos models and restrictions stemming from security concerns.
- Reuters reported on Anthropic's allegations against Alibaba concerning the alleged mass extraction of Claude's capabilities via distillation using millions of interactions and thousands of accounts.
- The AI Act establishes a risk-based framework for AI systems, covers most professional uses of AI and provides for different roles in the value chain, including providers and organisations using AI in professional activity.
- The study "Responsible AI in Business" indicates that organisations - especially SMEs - should build governance, documentation, secure AI operation, risk assessment and a practical plan for deploying responsible AI.