Author: Richard Curteis - Director

Published: 09/05/2025

Augment, Not Replace: Human Expertise as a Strategic Imperative

  1. 'Augment, Not Replace': Human Expertise as a Strategic Imperative
  2. AI-as-a-Service - Allure and Peril
  3. Vendor Risks: Deprecation and Price Volatility
  4. Building Resilience: The Case for In-House Automation and Diversified AI Solutions
  5. Practical Hedging Strategies for AI Vendor Risks
  6. Conclusion: Charting a Sustainable AI Strategy, Augment, Hedge, and Thrive

TL;DR

AI-as-a-Service (AIaaS) offers compelling benefits but creates hidden dependencies and risks. This article examines how organisations can reduce risk through an 'augment, not replace' doctrine, strategic in-house capabilities, contractual safeguards, and diversified AI solutions. The goal being to leverage AI whilst mitigating the volatility of vendor relationships and shifts in technology and costs.

'Augment, Not Replace': Human Expertise as a Strategic Imperative

As businesses integrate AI into their operations, a critical strategic choice emerges; whether to view AI as a tool to replace human workers or as a means to augment their capabilities. Our thesis promotes an 'augment, not replace' doctrine as a sound strategic imperative for building anti-fragile, innovative, and adaptable organisations.

As reliance on and risk exposure to AI solutions increases, business will by necessity, require a hedging strategy to offset that risk and ensure business continuity and profitability in the event of adverse operational changes. Think of this in the same way that airlines' exposure to oil prices results in some airlines offsetting that risk by hedging oil futures contracts to manage price fluctuations.

AI-as-a-Service - Allure and Peril

The rapid proliferation of Artificial Intelligence (AI) is reshaping industries and redefining how businesses operate. A significant catalyst for this transformation is the rise of AIaaS, cloud-based solutions that allow businesses to leverage frontier models without the substantial upfront investment in infrastructure or specialised expertise typically required to build AI from scratch. There are compelling benefits to the use of AI:

  • Access to sophisticated, pre-trained models for applications like fraud detection and sentiment analysis
  • The potential for dramatically enhanced productivity via automation of repetitive tasks
  • The ability to make more data-driven decisions

For many organisations, AIaaS offers an accelerated path, with over 80% of enterprises expected to adopt AI APIs or applications by 2026. The impact on business operations is already evident, with companies optimising supply chain efficiency, personalising marketing efforts at scale, and enhancing customer service through AI-powered chatbots and assistants.

However, this convenience comes with inherent, often underestimated, risks tied to a deep dependency on external providers. While the immediate functional benefits of AI APIs are clear, the ease of integration can create an illusion of simplicity. This may lead businesses to rapidly incorporate these tools without a proportional investment in understanding the long-term strategic risks. The focus often remains on immediate gains, deferring a thorough assessment of dependencies, vulnerabilities, and the true total cost of ownership until a critical issue arises. This is particularly concerning given the black box nature of some third-party APIs, where visibility into their internal workings and security measures is limited or non-existent. The initial low barrier to entry for many AIaaS offerings can further mask accumulating hidden risks.

Furthermore, the speed of AI adoption and the proliferation of AI tools, often accelerated by AI-assisted development itself, are outpacing the evolution of traditional risk management frameworks. Standard third-party risk management (TPRM) practices may not be adequately equipped to handle the unique and dynamic nature of AI vendor risks. AI is not simply another software category; its capacity to learn and change, the opacity of certain models present novel challenges. Consequently, existing risk management and procurement processes require urgent re-evaluation and adaptation to specifically address AI vendor dependencies, including the potential for model deprecation, unpredictable pricing shifts, vendor lock-in, and the erosion of internal capabilities if AI is viewed as a wholesale replacement rather than a strategic augmentation tool.

Vendor Risks: Deprecation and Price Volatility

The dependency on external AI vendors introduces specific and significant risks, primarily revolving around the stability of service offerings and their associated costs. Businesses must navigate rapidly changing API pricing models and consider the inevitability of model deprecation, both of which can have significant impacts on operational continuity and financial predictability.

The Labyrinth of AI API Pricing

AI API pricing is characterised by its diversity and dynamism, making long-term cost forecasting a significant challenge. Common models include:

  • Pay-as-you-go: This model charges based on actual consumption, frequently calculated per token (a unit of text processed by the AI) or per API request. While offering flexibility for projects with fluctuating workloads or for initial experimentation, it can lead to highly variable and unpredictable costs, especially as usage scales or if request complexity increases.
  • Tiered Pricing: Vendors may offer several pricing tiers, each providing a set number of API calls or computational resources for a fixed fee. This approach can deliver more predictable costs for budgeting. However, businesses can quickly outgrow their current tier, facing substantial cost increases to upgrade. Furthermore, the limits within lower or mid-range tiers may prove insufficient for production-level use, forcing an earlier-than-anticipated jump to more expensive enterprise tiers.
  • Model Complexity as a Cost Driver: A critical factor influencing AI API costs is the sophistication of the underlying AI model. More advanced and capable models, such as GPT-4 compared to GPT-3.5, typically incur significantly higher per-token or per-request costs due to their greater computational requirements. Businesses might be attracted to the capabilities of cutting-edge models without fully accounting for the potentially exponential increase in operational expenses.

Beyond these structural aspects, businesses face the spectre of unforeseen price hikes. The AI industry is seeing massive venture capital investment, and vendors will eventually seek profitability. Initial "teaser rates" or promotional pricing, designed to gain market share, are often not sustainable in the long term. This situation mirrors the trajectory of services like Uber, where low entry pricing was followed by significant cost increases once market dominance was achieved. External economic factors, such as tariffs on essential electronic components for data centres, can also exert upward pressure on cloud and service costs, inevitably passed on to consumers. Moreover, some AI vendors are themselves employing AI-driven dynamic pricing, allowing them to adjust prices in real-time based on market demand, customer usage patterns, or other factors, further diminishing cost predictability.

The cumulative impact of these pricing dynamics on business budgeting and return on investment (ROI) can be severe. Unpredictable and escalating API costs can derail project budgets, erode the anticipated ROI from AI initiatives, and make long-term financial planning for AI-driven transformations exceedingly challenging. Think the startup that makes assumptions about what AWS will cost and wakes up one morning to a £100k bill!

The Inevitability of AI Model Deprecation

Parallel to pricing concerns is the risk of AI model deprecation, where vendors decide to retire or cease support for specific AI models or API versions. The reasons for such decisions are multifaceted:

  • Safety, Security, and Legal Imperatives: Older AI models may lack the updated safety features, security patches, or legal safeguards embedded in newer iterations. They might be more prone to generating biased, harmful, or inaccurate outputs, or infringing on intellectual property rights. To mitigate liability and protect users, developers may choose to deprecate these riskier models.
  • Financial and Operational Costs for Vendors: Maintaining a portfolio of outdated models incurs ongoing costs for vendors, including hardware resources, customer support, and the opportunity costs of diverting engineering talent from newer products.
  • Strategic Obsolescence and Technical Evolution: Vendors may deprecate older models to encourage user migration to newer, potentially more profitable, or strategically aligned versions. The rapid pace of AI development means that models can quickly become technically outdated, with newer architectures offering superior performance or efficiency. Sometimes, specific features within an API are phased out rather than the entire API.

The business impact of model deprecation can be substantial:

  • Forced Migrations and Operational Disruption: Businesses that have built applications and workflows around a specific AI model or API version face sudden and often uncontrolled transitions when that service is deprecated. This necessitates redevelopment, retesting, and reintegration efforts, potentially leading to significant downtime and diversion of resources. The timeline for these migrations is dictated by the vendor, not the user.
  • Loss of Functionality and Knowledge Gaps: Newer models or API versions are not always perfect substitutes for their predecessors. Businesses may experience a loss of specific functionalities, performance characteristics, or nuanced behaviours upon which their applications relied. Furthermore, the removal of older models hinders historical research, the replication of previous findings, and comparative studies on AI evolution.
  • Wasted Investment: Significant time, effort, and financial resources invested in developing solutions around an API can be rendered obsolete if that API is deprecated without a clear, effective, and economically viable migration path.

The risks of price hikes and model deprecation are not always isolated. A vendor might strategically increase the price of an older, less efficient model to incentivise users to migrate to a newer, perhaps initially more attractively priced (but ultimately more expensive or differently structured) offering, effectively creating a "double-whammy" of cost pressure and impending service discontinuity. The lack of long-term roadmap transparency from some AIaaS providers exacerbates this uncertainty, making it difficult for businesses to plan effectively.

Another layer of complexity arises from how AI vendors define value metrics in their pricing structures. While tying costs to the value a customer receives seems equitable, it can become a trap. If an AI tool's cost scales directly with a core business activity or success metric (e.g., number of transactions processed, customer interactions handled), then as the business grows and becomes more reliant on the AI, its expenditure on that tool can escalate disproportionately. This can lead to a situation where the AI service siphons off a significant portion of the very value it helped create, particularly with granular, usage-based billing models like per-request or per-token charges. Businesses must critically assess how these value metrics are defined and project costs under various growth scenarios to avoid future financial strain.

The current wave of AI model deprecations can also be seen as a symptom of the AI market's immaturity and its extraordinarily rapid pace of evolution. Frequent updates, new model releases, and subsequent retirements of older versions reflect an industry in constant flux, driven by the quest for more capable, safer, and commercially viable solutions. This contrasts sharply with more mature software markets that typically offer longer product support lifecycles. Consequently, businesses integrating AI services must treat them as inherently less stable than traditional enterprise software and proactively build in greater architectural flexibility and strategies to lower switching costs. Long-term, unwavering reliance on any single third-party AI model version is a strategically precarious position.

To better visualise these interconnected challenges, the following matrix outlines some key risks, their potential business impacts, and common contributing factors. This matrix underscores the necessity for businesses to move beyond a purely functional view of AIaaS and adopt a comprehensive risk management perspective.

Risk Type Potential Business Impact Key Contributing Factors from AI APIs
Sudden Price Hikes Budget overruns, reduced ROI, project unviability Per-request/token billing, dynamic pricing by vendor, opaque/unfavourable Terms of Service (ToS), vendor pursuit of profitability
Model/API Deprecation Project disruption, forced redevelopment, loss of critical functionality, wasted investment Lack of long-term support guarantees, short deprecation windows, vendor strategic shifts, technical obsolescence of older models
Service Unavailability/Perf. Degradation Operational failure, loss of revenue, damaged customer trust Insufficient vendor infrastructure, lack of robust SLAs, "preview" mode services, unforeseen technical issues
Vendor Lock-in Reduced agility, inability to innovate freely, dependence on vendor roadmap/pricing Proprietary model formats, limited data export options, deeply integrated specialised APIs, high switching costs
Data Security/Privacy Vulnerabilities Reputational damage, regulatory fines, loss of customer data, IP theft Insufficient vendor security measures, data handling opacity, "black box" models, insecure API endpoints
Table 1: AI API Vendor Risk Matrix
The Human Element in an AI-Driven World

Despite the remarkable advancements in AI, particularly in areas like pattern recognition and data processing, human expertise possesses unique qualities that AI, in its current and foreseeable forms, cannot replicate:

  • Contextual Understanding and Nuance: AI systems excel at identifying correlations within vast datasets but often lack a true understanding of context, subtlety, real-world implications, or common sense. Humans provide this crucial layer of interpretation, discerning meaning from information and understanding the unstated assumptions or nuances that govern complex situations.
  • Ethical Decision-Making and Oversight: AI operates based on algorithms and the data it is trained on; it does not possess an inherent moral compass or ethical judgement. Humans are indispensable for defining ethical guidelines, establishing boundaries for AI use, ensuring fairness, actively mitigating biases (which can be learned from data), and holding AI systems accountable for their outputs and decisions. The European Union's AI Act, for example, explicitly emphasises the need for human oversight in high-risk AI systems.
  • Adaptability and Creative Problem Solving in Novel Situations: AI models are typically trained on historical data and perform best within the parameters of that training. They can struggle when faced with entirely novel situations or "edge cases" that fall outside their learned patterns. Humans, in contrast, possess the ability to adapt to unforeseen circumstances, improvise, and apply creative problem-solving skills to challenges that AI cannot address algorithmically.
  • Goal Definition, Input Curation, and Output Validation: AI systems do not autonomously define their own objectives or independently gather and vet all necessary data from the complex real world. Humans set the goals, curate the input data (with the understanding that "garbage in, garbage out" applies emphatically to AI), and critically evaluate the AI's outputs to ensure they are accurate, relevant, and sensible.
AI as an Empowerment Tool, Not a Human Replacement

The most effective application of AI is as an empowerment tool that amplifies human capabilities. AI can automate tedious, repetitive tasks, analyse large volumes of data to provide actionable insights, and thereby free up human workers to focus on higher-value strategic activities, complex problem-solving, and interpersonal interactions. This symbiotic relationship, where AI handles computational heavy lifting and pattern matching while humans provide strategic direction, ethical oversight, and contextual interpretation, leads to superior outcomes compared to what either humans or AI could achieve in isolation.

The Strategic Value of a Strong Human Core

Embracing the 'augment, not replace' principle directly translates into cultivating and valuing in-house knowledge and a robust human core. This internal strength offers significant strategic advantages:

  • Retaining and Evolving Institutional Knowledge: Over-reliance on external AI "black boxes" for critical functions risks the gradual erosion of vital in-house expertise and skills. If the "how" and "why" of processes are outsourced to an opaque AI, the organisation loses the ability to understand, adapt, and improve those processes independently. A strong human core ensures that this institutional knowledge is retained, continually evolved, and applied effectively.
  • Building Resilience Against External Shocks: A knowledgeable and skilled internal team is far better equipped to respond and adapt if a critical external AI service is suddenly deprecated, its pricing becomes prohibitive, or its performance degrades. These employees understand the underlying business processes and data, and can therefore play a crucial role in evaluating, developing, or integrating alternative solutions, including potentially bringing capabilities in-house.
  • Driving True Innovation and Customisation: Internal teams, possessing deep company-specific knowledge and an intimate understanding of business challenges and opportunities, are uniquely positioned to identify high-impact applications for AI. They can guide the development or fine-tuning of AI solutions that are genuinely tailored to the organisation's specific needs and strategic objectives, rather than relying on generic, one-size-fits-all external tools.

Airlines, as an industry, have risk exposure to fluctuations in the price of oil, which can impact on their ability to operate profitably. To offset this, some airlines engage in 'fuel hedging'. Airlines will buy futures contracts for oil to hedge against volatile prices and manage operating costs. This practice helps stabilise costs and protect against price hikes. For example, in 2024 Southwest Airlines and Air France-KLM saved around $1 billion (USD) through fuel hedging as prices surged.

Investing in human expertise should be viewed as creating the ultimate "living hedge" against the volatility inherent in the AI vendor landscape. While contractual and technological hedges offer certain protections, a skilled, adaptable human workforce provides a dynamic and resilient defence. If an AI API undergoes unwelcome changes in pricing or functionality, or is deprecated entirely, it is the humans with domain expertise, critical thinking, and problem-solving skills who can analyse the impact, devise effective workarounds, evaluate alternative services, or even spearhead the development of in-house replacements. Their knowledge and adaptability are not constrained by a vendor's terms of service or product roadmap. Thus, continuous investment in employee learning, upskilling, and fostering a deep understanding of how AI can be applied and overseen is a critical, yet perhaps often undervalued, risk mitigation strategy. It's not merely about teaching employees to use AI tools, but to understand their underlying principles, limitations, and strategic implications.

Crucially, the 'augment not replace' philosophy serves as a direct countermeasure to the risk of vendor lock-in. If a business aggressively pursues AI as a replacement for human roles, it systematically hollows out its internal capabilities. This deepens its dependency on the AI vendor, leaving the business with little leverage or alternative recourse if that vendor subsequently imposes unfavourable terms, raises prices significantly, or alters service levels. Conversely, an augmentation strategy actively maintains and even enhances human skills and institutional knowledge. This makes the business inherently less susceptible to vendor pressure because the human core remains capable, adaptable, and in control of critical processes and decision-making. The 'augment not replace' principle is therefore not just an operational guideline or an ethical stance; it is a fundamental strategic defence mechanism against the power imbalances that can arise in critical vendor relationships.

However, the benefits of a strong human core can be undermined if the interaction between humans and AI is mismanaged. If employees are not adequately trained to formulate clear instructions for AI, critically evaluate its outputs, understand its inherent limitations, and recognise potential biases or errors, the business not only fails to leverage AI effectively but can also inadvertently amplify internal risks. Poor performance of this "human API" function can lead to flawed AI-generated results, which in turn can cause operational errors, biased decision-making, or even security vulnerabilities if AI outputs are trusted blindly. This internal inefficiency and the potential for AI-induced errors make the business even more vulnerable if external AI APIs also become unreliable or problematic. Therefore, effective AI adoption necessitates a dual focus: diligently managing external vendor risks while concurrently investing in the "human API" through comprehensive training, the establishment of clear operational protocols, and the cultivation of critical thinking skills regarding all AI-generated outputs.

Building Resilience: The Case for In-House Automation and Diversified AI Solutions

To effectively hedge against the risks posed by over-reliance on third-party AI APIs, businesses must cultivate internal strengths. This involves leveraging the power of reliable, auditable, controllable code-based automation for core processes and strategically exploring diversified AI solutions, including open-source models. This approach, underpinned by a strong human core, forms the bedrock of a resilient and adaptable AI strategy.

Reliable, Auditable and Controllable: Code-Based Automation

Internally developed and managed code-based automation offers distinct advantages over a primary reliance on external AI APIs, particularly in terms of stability, control, security, cost-effectiveness, and customisation:

  • Stability and Predictability: Unlike the potential volatility of third-party AI API pricing and the abruptness of service deprecation, internally developed automation systems offer greater stability. Maintenance costs are more predictable, and the lifecycle of the automation is determined by the business's own strategic decisions, not those of an external vendor.
  • Security and Control: In-house automation ensures that sensitive data and critical business logic remain within the organisation's direct control. This significantly enhances data security, privacy, and regulatory compliance, especially when dealing with confidential customer or proprietary information. External APIs, particularly if not rigorously secured, can represent a significant attack surface.
  • Cost-Effectiveness in the Long Run: While the initial development of bespoke automation solutions may require an upfront investment in time and resources, they can prove substantially more cost-effective in the long term compared to escalating API subscription fees or per-transaction charges, especially for high-volume, repetitive tasks. While Robotic Process Automation (RPA) tools can be quicker to implement for UI-level automation, they often prove less reliable, more brittle to UI changes, and potentially more costly to maintain over time than robust, API-based or backend in-house automation.
  • Deep Customisation and Integration: In-house solutions can be meticulously tailored to the organisation's unique business processes, workflows, and existing technology stack. This level of deep integration and customisation is often difficult, if not impossible, to achieve with generic, off-the-shelf third-party APIs designed to serve a broad market.
Exploring Open-Source AI Models as a Strategic Alternative

Open-source AI models present another avenue for businesses seeking to reduce dependency on proprietary third-party AI services. They offer a different balance of benefits and responsibilities:

Benefits of Open-Source AI:

  • Potential Cost Savings: The models themselves are typically free of licensing fees, which can be a significant advantage. For organisations with high prediction volumes, the total cost of ownership for a self-hosted open-source model can be lower than commercial API fees over time, despite infrastructure and expertise costs.
  • Enhanced Customisation and Control: Full access to the model's source code and architecture allows for deep customisation, fine-tuning on proprietary datasets, and modification to suit very specific business requirements.
  • Increased Transparency and Auditability: The open nature of the code and, in some cases, training methodologies allows for greater scrutiny of how the model works, aiding in understanding its behaviour, identifying potential biases, and facilitating audits.
  • Reduced Vendor Lock-in: Businesses gain greater freedom to modify the models, choose their deployment infrastructure, and potentially switch between different open-source options or support communities without being tied to a single commercial vendor's ecosystem.

Challenges of Open-Source AI:

  • Requirement for Significant In-House Expertise: Successfully deploying, maintaining, fine-tuning, and supporting open-source AI models demands a high level of specialised in-house talent, including machine learning engineers and data scientists.
  • Infrastructure Investment and Management: Hosting these models, especially large language models (LLMs), can require substantial upfront and ongoing investment in powerful computing resources and the expertise to manage this infrastructure.
  • Support and Maintenance Burden: Unlike commercial offerings, there are typically no formal service level agreements (SLAs) or dedicated vendor support channels. Businesses rely on community support, which can be variable, or must shoulder the full burden of maintenance, updates, and bug fixes internally.
  • Security, Compliance, and IP Risks: Concerns may arise regarding the security of the open-source code, ensuring regulatory compliance (especially with data used for fine-tuning), and understanding the intellectual property implications of the model's training data and outputs.
Mitigating Vendor Lock-in: Strategies for Portability and Diversification

Vendor lock-in occurs when a business becomes so dependent on a specific vendor's products or services that switching to an alternative becomes prohibitively costly or technically complex. Several strategies can mitigate this risk:

  • Adopt Open Standards and Standard APIs: Whenever feasible, design internal systems and integrations to use widely accepted open standards and generic API protocols (e.g., REST, GraphQL). This makes it easier to swap out underlying components or services from different vendors without major re-engineering.
  • Abstract Vendor-Specific Functionality: Develop an internal abstraction layer, such as a set of internal libraries or APIs that act as an intermediary between your core business applications and external vendor services. If an external AI service needs to be replaced, only this internal wrapper needs to be updated to connect to a new provider, shielding the core applications from direct changes.
  • Prioritise Data Portability: Maintain control over your data. Avoid proprietary data formats that can only be read or processed by the vendor's tools. Ensure that contracts explicitly grant the right to export all business data in a usable, standard format upon termination of the service, and clarify any associated costs or technical hurdles.
  • Embrace Modular Design: Architect applications in a modular fashion, where different functionalities (especially those reliant on external AI) are encapsulated as distinct components. This allows a specific AI component (e.g., a particular sentiment analysis API or a specific LLM) to be replaced with an alternative with minimal disruption to the rest of the system.
  • Implement a Multi-Cloud or Multi-Vendor Strategy: Avoid concentrating all critical AI dependencies with a single cloud provider or AI vendor. Distributing workloads or utilising a portfolio of AI services from different providers can reduce the impact if one vendor relationship becomes problematic. This can also involve strategically blending commercial AI APIs with self-hosted open-source models for different tasks.

The development and maintenance of effective in-house code-based automation, as well as the successful deployment and customisation of open-source AI solutions, are not isolated endeavours. They both depend heavily on the cultivation of the in-house human expertise discussed previously. These are not separate strategic pillars but are deeply intertwined. A strong, skilled human core is the enabling force behind the creation and sustained operation of these resilient internal systems. Therefore, businesses should perceive investment in their technical teams not merely as an operational expense but as a direct and crucial investment in building robust hedges against the array of external AI vendor risks. The very skills required to build and maintain dependable internal automation are also those needed to critically evaluate, securely integrate, effectively manage, and, if necessary, replace third-party AI services.

While open-source AI offers a compelling alternative to escape commercial vendor lock-in and recurring licensing fees, it is not a panacea. Adopting open-source solutions introduces its own set of dependencies, such as reliance on community support, the need for internal expertise for ongoing maintenance and security, and potential risks related to the provenance of training data or embedded vulnerabilities. It represents a strategic shift in the type of risk and dependency an organisation takes on, rather than a complete elimination of external reliance. Consequently, a move towards open-source AI necessitates a clear-eyed assessment of the organisation's internal capacity to manage these new responsibilities and risks effectively. It remains a strategic choice that trades one set of challenges for another and still underscores the fundamental need for a strong internal technical team.

Furthermore, proactive architectural design serves as a powerful preemptive hedge. Strategies such as abstracting vendor-specific functionality and adopting a modular system design yield the greatest benefits when they are embedded into the system architecture from the very outset, before an organisation becomes deeply entrenched with a particular AI vendor or service. Attempting to retrofit these architectural patterns onto mature, heavily integrated systems can be significantly more costly, complex, and disruptive. Therefore, businesses should champion "design for replaceability" and "design for portability" as core tenets in their AI system architecture planning, even when initially opting for the convenience of third-party APIs. This foresight acts as a potent, low-cost early hedge against future vendor-related turbulence.

This comparison highlights that while third-party APIs offer rapid deployment, a strategy centred on a robust in-house human core combined with custom code-based automation, potentially augmented by strategically chosen open-source AI, provides superior long-term resilience, control, and cost predictability. The following table provides a comparative overview of how different AI adoption approaches fare against key resilience factors.

Resilience Factor Heavy Reliance on Third-Party Proprietary AI APIs Strategic Use of Open-Source AI (Self-Managed) Robust In-House Human Core + Custom Code-Based Automation
Cost Predictability Low (Vendor-Dependent, Usage-Based) Medium (Infrastructure/Expertise Costs) High (Internally Controlled)
Control over Deprecation/Obsolescence Low (Vendor-Dictated) High (Community/Self-Driven) Very High (Internally Controlled)
Customisation Depth Low to Medium (API Limitations) Very High (Source Code Access) Very High (Bespoke Development)
Data Governance & Security Control Medium (Vendor-Reliant, Contractual) High (Self-Hosted, Configurable) Very High (Internal Systems)
Long-term Stability & Support Low to Medium (Vendor Viability/Policy) Medium (Community/In-House Effort) High (Internal Commitment)
Susceptibility to Vendor Lock-in High Low Very Low
Speed of Initial Deployment High Medium to Low Low to Medium
Upfront Investment Low Medium (Infrastructure, Initial Expertise) Medium to High (Development Effort)
Ongoing Need for Specialised In-house Expertise Low to Medium (Integration, Oversight) High (ML Engineering, Maintenance) High (Development, Maintenance, Domain Expertise)
Table 2: Comparative Resilience Strategies: Third-Party AI vs. In-House Core

Practical Hedging Strategies for AI Vendor Risks

Beyond fostering internal capabilities, businesses can implement a range of practical hedging strategies to mitigate the risks associated with AI vendor dependencies. These strategies span contractual safeguards, operational resilience planning, technological design choices, and robust third-party risk management.

Contractual Fortification

The terms of agreement with AI service providers are a critical, though not sole, line of defence. Careful negotiation and scrutiny of contracts can provide significant protections:

  • Service Level Agreements (SLAs): Demand clear, measurable, and meaningful SLAs covering uptime, performance benchmarks (e.g., response times, accuracy if applicable), and support response times for different issue severities. The contract should explicitly define remedies or penalties for SLA failures, such as service credits or termination rights. While some AIaaS products, particularly those in "preview" or beta stages, may be offered without fixed SLAs, relying on such services for critical business functions introduces significant unmitigated risk.
  • Price Protection and Cost Predictability Clauses: Negotiate for transparent pricing models, caps on annual price increases, and clear terms for contract renewals. Ensure all potential fees, including overage charges or costs for additional features/support, are explicitly detailed. Be particularly wary of automatic renewal clauses that may lock the business into higher prices without an opportunity for renegotiation.
  • Deprecation Notices and Migration Support: Secure contractual commitments for ample advance notice regarding the deprecation of any API, model, or significant feature—ideally 12-24 months or longer. The agreement should also stipulate the level of support the vendor will provide for migration to newer versions or alternative solutions, including technical assistance and documentation.
  • Data Ownership, Portability, and Exit Rights: The contract must unequivocally state that the business retains ownership of its data. Crucially, it should guarantee the right and ability to extract all data in a usable, non-proprietary format (e.g., CSV, JSON) upon contract termination or expiration. Clarify any costs, technical limitations, or time restrictions associated with data retrieval.
  • Intellectual Property (IP) Rights: Clearly define the ownership of intellectual property generated by or in conjunction with the AI tool. This is especially important for outputs from generative AI models, custom fine-tuned models, or any derivative works created using the service.
  • Liability and Indemnification: Scrutinise limitation of liability clauses carefully. AIaaS providers often attempt to cap their liability at the value of fees paid over a limited period (e.g., 12 months). Negotiate for higher caps or specific carve-outs for critical incidents like data breaches, gross negligence, willful misconduct, or IP infringement caused by the AI service. Understand the scope of indemnification offered by the vendor, as AIaaS terms may offer less customer protection than traditional SaaS agreements.
Operational Resilience: Planning for Disruption

Proactive planning can significantly reduce the impact of AI service disruptions:

  • Business Continuity Planning (BCP) for AI Service Disruption: Identify all critical business functions that rely on third-party AI APIs. For each dependency, develop detailed contingency plans to address scenarios such as API unavailability, significant performance degradation, data corruption, or sudden deprecation. These plans should outline manual workarounds, identify alternative vendors or services, and detail the process for activating in-house fallback solutions.
  • Regular Risk Assessments and Continuous Monitoring: Implement processes to continuously monitor AI API performance, usage patterns, and associated costs. Track vendor announcements, financial stability, and market reputation for early warnings of potential issues like price changes, service alterations, or impending deprecation.
  • Tailored Incident Response Plans: Develop and regularly test incident response plans specifically for AI-related security breaches (e.g., data exfiltration via a compromised API), critical failures (e.g., an AI making harmful decisions), or unexpected outputs (e.g., generation of biased or inappropriate content).
Technological Hedges: Designing for Adaptability

Architectural choices made during system design can inherently reduce dependency and improve resilience:

  • Modular System Architecture: As emphasised previously, design applications such that AI-dependent components are loosely coupled and can be replaced or upgraded with minimal impact on the rest of the system.
  • Source Code Escrow for Critical AI Models: For truly business-critical, non-replaceable third-party AI models where the vendor is unwilling or unable to provide sufficient long-term assurances, consider negotiating a source code escrow agreement. This arrangement involves the vendor depositing the model's source code, relevant data schemas, build instructions, deployment scripts, and essential documentation with a neutral third-party escrow agent. The materials would be released to the business under predefined conditions, such as vendor bankruptcy, failure to support the product, or discontinuation of the service. Escrow agreements for AI must be carefully tailored to address unique aspects like data privacy, model governance, and the complexities of AI model dependencies.
  • Developing an "AI Abstraction Layer": Consider creating an internal API gateway or abstraction layer that mediates all communication between your business applications and external AI services. Applications call this internal layer, which then routes requests to the appropriate external AI provider. This architecture allows the business to switch underlying AI providers by reconfiguring the abstraction layer, without needing to recode each individual application that consumes the AI service.
Robust Third-Party Risk Management (TPRM)

Traditional TPRM frameworks must be enhanced to address the unique risks posed by AI vendors:

  • AI-Specific Due Diligence: TPRM processes must incorporate AI-specific criteria when evaluating vendors. This includes assessing the vendor's AI governance practices, data sourcing and handling policies, model transparency and explainability, security measures for AI systems (including protection against adversarial attacks), history of API deprecation and pricing stability, and their approach to ethical AI development.
  • Comprehensive AI Inventory and Risk Categorisation: Maintain a detailed inventory of all third-party AI services used across the organisation. Categorise these services based on their criticality to business operations, the sensitivity of data they process, and their overall risk profile. This allows for a tiered approach to oversight, focusing more intensive scrutiny on high-risk AI dependencies.
  • Continuous Monitoring and Dynamic Reassessment: AI technologies and the associated risk landscape are constantly evolving. Implement mechanisms for continuous monitoring of AI vendors' performance, security posture, and compliance. Regularly reassess the risk exposure associated with each AI service, particularly when vendors announce significant changes or new vulnerabilities are discovered.
  • Alignment with Established AI Risk Frameworks: Leverage established frameworks such as the NIST AI Risk Management Framework (AI RMF) or Gartner's AI Trust, Risk, and Security Management (AI TRiSM) model to structure and mature the organisation's AI risk management practices and ensure a comprehensive approach.

While robust contractual safeguards are a crucial first step, they are, by nature, reactive. Enforcement can be slow, costly, and may not fully compensate for business disruption if a vendor fails or makes a strategic decision that negatively impacts its customers (e.g., deprecating a widely used model). Thus, contracts are necessary but insufficient on their own. They must be complemented by proactive operational and technological hedges, such as strong in-house capabilities, modular system design, and the strategic use of open-source alternatives, to provide true, multi-layered resilience.

The concept of source code escrow offers an additional layer of protection, but it comes with its own complexities, particularly for sophisticated AI models. For highly intricate AI systems that are constantly evolving and trained on massive, proprietary datasets, merely possessing the source code might be of limited practical value. The ability to run, maintain, debug, or retrain such a model often depends on access to the specific version of the training data, intricate knowledge of dependencies, highly specialised talent, and the massive computational infrastructure originally used by the vendor. The "accompanying documentation" and "deployment scripts" mentioned in escrow literature become critically important and potentially vast in scope for AI. Therefore, escrow is a significant undertaking, best reserved for truly critical, well-understood, and potentially self-hostable components. Its effectiveness as a hedge diminishes with the increasing complexity, data-dependency, and proprietary nature of the AI model and its training environment. Thorough verification of escrow deposits, ensuring completeness and usability, is paramount but can also be resource-intensive.

Finally, the rapid proliferation of AI tools, often adopted in a decentralised manner by various business units (a phenomenon termed "AI Creep"), can severely strain traditional, often manual, TPRM processes. The sheer volume of AI services being adopted, coupled with the unique nature of their risks (e.g., data privacy concerns with LLMs, potential for model bias, "hallucinations," intellectual property issues), demands more scalable, specialised, and often automated TPRM approaches. Organisations may need to invest in AI-powered tools to help manage the risks from other AI tools, establish clear and enforceable AI usage policies across the enterprise, and potentially form dedicated AI governance committees or centres of excellence to oversee AI adoption and risk management.

Conclusion: Charting a Sustainable AI Strategy, Augment, Hedge, and Thrive

The integration of AI into business operations offers transformative potential, promising unprecedented efficiencies, enhanced decision-making, and new avenues for innovation. However, as this report has detailed, an over-reliance on third-party AI vendors, particularly through AIaaS models, introduces significant and often underestimated risks. These primarily revolve around unpredictable and escalating costs, the abrupt deprecation or alteration of critical AI models and APIs, and the pervasive threat of vendor lock-in, which can stifle agility and expose businesses to the strategic whims of their providers.

To navigate this successfully, a fundamental shift in perspective is required. The cornerstone of a resilient and innovative AI strategy lies in embracing the 'augment, not replace' philosophy. Human expertise, characterised by contextual understanding, ethical judgement, adaptability, and strategic oversight, remains irreplaceable. AI should serve as a powerful tool to empower and amplify these human capabilities, not to supplant them. This philosophical stance is not merely an ethical consideration; it is a potent strategic hedge against vendor dependency, ensuring that critical institutional knowledge and operational control remain within the organisation.

Given the volatility of the AIaaS market, proactive hedging is not an optional adjunct but an essential component of a sustainable AI strategy. This involves a multi-pronged approach:

  • Cultivating a Strong Human Core: Investing in the skills, training, and continuous learning of employees to understand, manage, and critically evaluate AI systems.
  • Developing In-House Controllable Automation: Building and maintaining robust, independent automation for critical business functions, using reliable code-based solutions that are not subject to external vendor control or pricing fluctuations.
  • Strategic Adoption of Open-Source AI: Carefully evaluating and, where appropriate, leveraging open-source AI models to gain greater control and customisation, while being cognizant of the associated responsibilities for infrastructure, expertise, and support.
  • Robust Contractual Safeguards: Diligently negotiating contracts with AI vendors to include protections related to pricing, service levels, data ownership, deprecation, and liability.
  • Adaptive Technological Design: Architecting systems with modularity and abstraction layers to facilitate the replacement or diversification of AI components as needed.

Businesses are urged to undertake the following actions to chart a more sustainable and resilient path in the AI era:

  • Conduct a Comprehensive Audit: Perform a thorough audit of all current AI dependencies, identifying reliance on third-party vendors, assessing the criticality of these services, and evaluating exposure to the risks of price hikes, deprecation, and lock-in.
  • Invest in Internal Capabilities: Prioritise investment in developing in-house talent capable of building, managing, and overseeing AI systems. Concurrently, identify core processes where robust, independent, code-based automation can provide long-term stability and cost-effectiveness.
  • Implement AI-Specific Governance and TPRM: Establish clear AI usage policies, governance frameworks, and an enhanced Third-Party Risk Management programme specifically designed to address the unique challenges posed by AI vendors. This includes AI-specific due diligence and continuous monitoring.
  • Foster a Culture of Continuous Learning and Adaptation: The AI landscape will continue to evolve rapidly. Cultivate an organisational culture that embraces continuous learning, critical thinking about AI, and agility in adapting to new technologies and risks.
  • Strive for a Balanced AI Portfolio: Aim for a strategically diversified AI portfolio that judiciously combines the innovative potential of third-party services with the resilience and control offered by in-house capabilities and open-source alternatives.

Ultimately, businesses that proactively implement hedging strategies will not only be more resilient to the inevitable shocks and changes in the AI vendor ecosystem but will also find themselves in a stronger competitive position. Effective AI risk management, rooted in the 'augment not replace' principle, transforms from a purely defensive posture into an offensive strategy. It enables organisations to leverage AI more sustainably, confidently, and effectively than competitors who remain passively dependent on external providers. This allows for greater agility in innovation, as businesses are less constrained by vendor roadmaps or pricing models, and better able to tailor AI solutions to their unique strategic imperatives.

Furthermore, the very definition of what constitutes a "core" versus "non-core" business function is being reshaped by AI. Functions that might appear peripheral today could become strategically vital tomorrow if they are deeply infused with AI capabilities that deliver a distinct competitive advantage. Over-relying on a third-party AI for such an evolving function could inadvertently mean outsourcing a future core competency. A dynamic, forward-looking approach is therefore essential in defining which capabilities warrant the protection and cultivation of in-house expertise and internally controlled automation. The 'augment not replace' principle should guide these critical decisions, ensuring that irreplaceable human knowledge and strategic control are always maintained around these evolving core functions, allowing businesses not just to survive the AI revolution, but to thrive within it.

Our Mission

To provide information security services, affordably and at scale, through innovative use of software development, automation and AI driven solutions.

Company
Compliance
Legal
  • © Realize Security Ltd. 2025
  • |
  • Company Number: 12606876
  • |
  • VAT No.: GB466083379