The Vendor Defence Is Dead: Why UK Professional Services Can't Blame AI Suppliers Anymore

For years, a quiet assumption has underpinned how many professional services firms approach AI risk: if something goes wrong, it is the software provider's problem. The tool misbehaved, the algorithm was flawed, the vendor failed to disclose a limitation. Responsibility, in this framing, flows upstream to the developer and away from the firm that deployed the product.

That assumption is no longer tenable. Regulators, courts, and enforcement agencies across the UK, EU, and beyond have now established a clear principle: the organisation that deploys an AI system is liable for what that system does. The vendor defence is dead, and professional services firms — accountants, solicitors, HR consultancies, marketing agencies — are among the most exposed.

What "Deployer Liability" Actually Means

The shift is not theoretical. Under the EU AI Act, whose initial provisions took effect on 2 February 2025, obligations are explicitly placed on deployers — the businesses that put AI systems to work — not only on developers. When the Act's high-risk system requirements become fully enforceable on 2 August 2026, the maximum penalties will reach €35 million or 7% of global annual turnover. Ignorance of what your AI tools are doing under the bonnet will not constitute a defence.

In the UK, the Data (Use and Access) Act 2025 is reshaping the legal framework around automated decision-making, tightening obligations that already existed under UK GDPR. The ICO has demonstrated it is willing to hold deployers directly accountable: Advanced Computer Software Group was fined £3 million for security failures, and Reddit received a £14.47 million penalty for children's privacy violations. Neither fine was directed at the underlying technology's creator. Both landed on the organisation responsible for how data was handled in practice.

The message is consistent across jurisdictions. If you use the tool, you own the outcome.

The Three Enforcement Fronts You Need to Understand

Deceptive Marketing and AI-Washing

Firms that overstate the capability of AI-driven services face active scrutiny. The FTC's "Operation AI Comply" in the United States has already penalised companies for deceptive "AI lawyer" claims — DoNotPay being the most prominent example. UK marketing agencies and legal tech businesses promoting AI-enhanced services should treat this as a direct warning. The Advertising Standards Authority and the Competition and Markets Authority are both capable of taking a similar interest in inflated AI claims, and the reputational damage from an AI-washing investigation would be severe in a sector built on professional trust.

Data Privacy and Automated Decision-Making Fines

European regulators have demonstrated a willingness to issue penalties that are genuinely punishing in scale. A €30.5 million fine against Clearview AI for biometric data scraping and a €492,000 penalty against a financial firm for automated credit scoring without adequate human oversight signal that AI-adjacent data processing is firmly within regulatory crosshairs. For UK accountancy practices and financial services consultancies using AI-driven client analysis tools, the question is not whether these tools create data protection obligations — they do — but whether those obligations are currently being met.

HR, Recruitment, and Algorithmic Bias

AI-assisted recruitment is a specific and growing area of liability. In the United States, the DOJ has already fined an employer for AI job postings that unlawfully excluded certain applicant categories. Class actions targeting algorithmic screening tools are actively testing whether AI-generated hiring scores trigger existing anti-discrimination and consumer reporting legislation. UK HR consultancies deploying AI screening or assessment tools should not wait for domestic equivalents to materialise. The Equality Act 2010 applies to discriminatory outcomes regardless of whether a human or an algorithm produced them.

The Professional Liability Risks Specific to Legal and Accountancy Firms

Hallucinated Citations and Judicial Sanctions

Courts are losing patience with AI-generated errors submitted as fact. US courts have levied sanctions of $30,000 at appellate level, $59,500 in an Illinois trial court, and $5,000 against a major firm for AI-fabricated case citations. UK courts have not yet produced equivalent penalties, but the Solicitors Regulation Authority is already investigating solicitors for inappropriate ChatGPT use. A single submission containing hallucinated legal authority — presented without verification — could result in sanctions, disciplinary proceedings, and reputational damage that no indemnity policy will fully address. The AI tool's developer will not be standing beside you in that hearing.

Privilege Waiver and Shadow AI

Perhaps the most underappreciated risk in legal and professional services is what happens when staff upload confidential client information into consumer-grade AI tools. In United States v. Heppner, courts established that doing so can constitute a legal waiver of attorney-client privilege. The SRA is actively investigating solicitors for exactly this kind of breach.

The shadow AI problem compounds this risk significantly. When employees use unsanctioned AI tools without the firm's knowledge — and they are, routinely — the firm has no visibility, no governance, and no defence. Research puts the additional breach cost attributable to shadow AI at $670,000, pushing the average data breach cost in professional services to $5.08 million. That is the price of an unwritten policy and an unmonitored workforce.

What Firms Must Do Now

The practical response requires action in three areas.

Governance before deployment. Any AI tool handling client data, influencing professional advice, or informing hiring decisions must be subject to documented assessment before it goes live. That means understanding what data the tool processes, where it is stored, whether outputs require human review, and what the failure modes look like. "We trusted the vendor" is no longer a governance strategy.

Banning unvetted consumer AI. Consumer-grade generative AI tools — including freely available versions of well-known products — are not built for professional services compliance. They lack the data processing agreements, audit trails, and security standards that regulated firms require. A clear, enforced policy prohibiting their use for client-related work is not optional; it is a baseline obligation.

Training and accountability structures. The EU AI Act explicitly mandates AI literacy training for staff. Beyond regulatory compliance, trained staff are the first line of defence against shadow AI proliferation. Firms also need clear accountability — a named individual responsible for AI governance — so that responsibility does not dissolve into collective confusion when something goes wrong.

The Cost of Waiting

The regulatory environment has moved from voluntary guidelines to statutory enforcement with real financial penalties. The vendor defence — the idea that deploying a tool somehow separates a firm from accountability for that tool's conduct — has been dismantled by regulators and courts in parallel. For UK professional services firms, the window for a considered, proactive response is narrowing.

The firms that will manage this well are not necessarily those that avoid AI. They are the ones that deploy it deliberately, govern it rigorously, and document everything.

Ops Intel helps UK professional services firms build AI governance frameworks that are proportionate, enforceable, and audit-ready. If your firm is using AI tools without a documented compliance structure, or if you are unsure whether your current approach meets your obligations under UK GDPR, the AI Act, or sector-specific professional standards, we can help you find out — before a regulator does.

Get in touch with Ops Intel to arrange a compliance review.