Agentic AI changes supplier due diligence for financial services firms, say experts

A new report published by Pinsent Masons, which explores the implications for financial services firms of suppliers’ use of AI tools to deliver critical services has set out this recommendation.

Agentic AI is a term describing systems set up to act autonomously based on dynamic reasoning, with little or no human input. The Pinsent Masons report highlights how agentic AI blurs the traditional boundary between technology licensing and business process outsourcing and impacts on traditional supplier contracting in financial services.

One way this impact is felt is in relation to the due diligence firms must carry out on suppliers.

Yvonne Dunn of Pinsent Masons, one of the report’s primary authors, said: “Due diligence is a critical precursor to services agreements in the financial services sector. Regulated financial services businesses remain accountable for outsourced activities and associated risks. Therefore, the primary objective of due diligence is to assess whether a supplier can deliver the services in a manner that meets regulatory, operational and commercial requirements throughout the contract lifecycle. Key areas of focus tend to be regulatory and compliance capability, operational resilience, data / information security and financial stability of the supplier. Due diligence then informs the allocation of risk in the contract.”

Luke Scanlon of Pinsent Masons, also a primary author of the report, added: “Where a supplier’s use of a tool is incidental to service delivery, minimal due diligence may be required in respect of that tool. However, where software services are considered critical to a customer’s business, the customer will undertake a higher level of diligence to assess, at a minimum, operational resilience, security controls and regulatory compliance. This will often involve the supplier completing detailed questionnaires, criticality assessments, providing proof of certifications against industry standards and insights into the potential for and assurance against supply chain vulnerabilities.”

The report sets out that when a supplier uses AI to deliver services, the focus of firms should be not on an AI model’s code and how it works but rather on how the supplier verifies its outputs, controls data use, and maintains human oversight. They said, though, that the position is complicated further where it is an agentic AI tool a supplier uses.

“Unlike a passive generative AI tool which produces a summary, an AI agent could, for example, autonomously categorise a risk, trigger a background check, or draft and send a query to a third

party,” said Dunn. “For a financial services business the critical question is not necessarily how the agent works, but the extent of its autonomy.”

“In due diligence, customers should determine whether the supplier uses AI agents to execute tasks that were previously manual and to determine where the human is in this process – it may be that the human remains ‘in-the-loop’, i.e. actively involved, or has shifted to ‘on-the-loop’, i.e. has a supervisory role, or is completely ‘out-of-the-loop’, in which case the process is purely automated. For the latter two categories, the customer will likely require the supplier to implement ‘circuit breakers’ or automated stops that disable the agent if confidence scores drop below a certain threshold or if the agent attempts an action outside of strict parameters,” she said.

Scanlon said customers should also assess AI-specific security controls as a distinct category of due diligence.

“This should include its hardening against prompt injection, model interface access logging, and detection of data extraction or tampering,” he said. “Ideally the supplier’s AI incident response procedures, distinct from its general IT incident response approach, should be reviewed.”

Access the Pinsent Masons report on AI-enabled service delivery