Key Takeaways
- Understand the dual defensibility challenge: You must be prepared to defend both your use of AI and your decision not to use it more extensively.
- Know AI’s strengths and limitations: Excellent for repetitive tasks, document comparison, and broadening research scope. Problematic for timeline interpretation, handling paywalls, and tasks requiring nuanced judgment.
- Never deploy AI without review protocols: Experienced human oversight isn’t optional; it’s where accountability lives.
- Prioritise data quality: AI built on curated, authenticated datasets vastly outperforms AI scraping the open web.
- Prepare for constant evolution: Model behavior changes across versions. Your governance framework must include processes for evaluating and adapting to these changes.
- Focus on explainability: If you can’t trace how AI reached a conclusion, you can’t defend that conclusion to a regulator.
Picture this: Your compliance team needs to screen 1,000 third-party suppliers, but you have the budget and bandwidth to thoroughly review 50. An AI tool promises to handle the full thousand in a fraction of the time. Do you trust it? Do you have a choice? And when a regulator comes knocking, which decision will be harder to defend; using AI or not using it?
This scenario encapsulates the theme of our most recent webinar that explored AI and its role in due diligence – should we hand critical judgement calls and research to AI? Or are we risking undervaluing the irreplaceable human expertise?
With GTI’s Matthew Hunt moderating, Moritz Homann, Director Product Innovation & AI at EQS Group and Vladislav Manyukhin, Ethics & Compliance Professional, explored whether AI represents the future of third-party risk management or a dangerous over-reliance on unpredictable technology.
Despite their assigned roles as “Sceptic” (Homann) and “Evangelist” (Manyukhin), what emerged was a nuanced conversation that revealed both the genuine promise and the limitations of AI in compliance work.
This is how it played out…
The Evangelist’s view: AI as a practical force multiplier
From one perspective, AI’s value is immediate and tangible. Much of due diligence is dominated by repetitive, structured tasks: cross-checking questionnaire responses against contracts, reviewing onboarding documents, summarising conversations, managing investigator notes, or scanning publicly available information for obvious red flags. These activities consume disproportionate amounts of time. AI handles them with speed, consistency, and scale.
This acceleration has real strategic significance. Many teams face headcount constraints while regulators expect wider, deeper assessments. When AI can screen hundreds – or thousands – of suppliers in the time a human team can manage a few dozen, the traditional boundaries of what is “practical” expand dramatically.
As Manyukhin put it: “If you think of modern fishermen who may use all the technologies to see where there is more efficiency… what the weather forecast is, what the feeding habits are, none of these technologies actually help you catch a fish. However, what they do is they help you take your boat out in the best possible conditions… at the best possible time, in the best possible place that you have the highest chance of catching this fish.”
In this framing, AI is not replacing judgement; it is clearing the path for humans to apply that judgement more effectively.
At heart, the acceleration view sees AI as the only realistic way for compliance teams to keep pace with rising expectations without turning into cost centres that devour operational budgets. AI helps teams do more, see more, and catch more – all while preserving human decision-making where it matters.
The Sceptic’s view: AI as an unpredictable actor
The counter-view begins with an observation: large language models do not behave like traditional software. They are non-deterministic systems.
Homann explained: “That means in simple terms that you can never know what you will get out of it, even if you feed it with exactly the same question on exactly the same day to exactly the same AI model with maybe just a split second difference.”
And while their reasoning capabilities are improving, longer reasoning chains introduce more surface area for error – including hallucinations, misplaced assumptions, or invented connections that look authoritative but are fundamentally wrong.
For compliance teams, this is not an abstract concern. Due diligence relies on consistency, traceability, and the ability to explain how conclusions were reached. When an AI model blends data sources, weighs events incorrectly, or struggles to judge recency and relevance, the output becomes difficult to defend, especially if the underlying decision requires audit-ready documentation. In addition, there is a practical limitation; much of the information needed for due diligence – company registration information, director data, shareholder information – lies behind paywalls that AI models often cannot access.
A particular vulnerability lies in the way models handle dates and timelines. They often prioritise older, information-dense sources over more recent developments that should carry greater risk significance. Governance structures, ownership, allegations, or legal actions may have changed dramatically since those older events, yet the model may still treat the historical source as more authoritative.
Inexperienced due diligence professionals may be especially at risk of over-reliance. While their more experienced counterparts know what to look for while reviewing the information, less experienced users might trust the results. If a system appears confident, users may assume the answer is complete, when in reality critical context could be missing.
From this viewpoint, AI introduces a different type of risk: that organisations deploy it to meet efficiency pressures without fully understanding its behavioural limits, and then fail to maintain adequate human oversight. And critically, regulators continue to insist that accountability rests with the organisation, not the system it uses. The human remains the final checkpoint.
The dual defensibility challenge
Both views converge on a subtle but important dilemma: organisations now face two competing defensibility risks.
First, there is the defensibility of using AI. Poor oversight, opaque outputs, or excessive automation can undermine the credibility of a compliance program.
Second, there is the defensibility of not using AI. Regulators – particularly in technology-driven sectors – increasingly challenge organisations that fail to leverage available tools to surface basic risk indicators. When issues are missed because a team lacked the capacity to review more than a fraction of suppliers, that too can be difficult to justify.
This tension is shaping a shift in expectations. The goal is no longer to decide whether AI belongs in third-party risk, but to determine how to integrate it responsibly, proportionately, and transparently.
Where the perspectives align
Despite differing starting points, the webinar surfaced strong areas of agreement.
Data quality is the foundation. AI behaves far more reliably when it draws from curated, authenticated, and purpose-built datasets rather than the unfiltered open web. The more structured the data, the stronger the model’s consistency and the lower the hallucination risk.
Human–AI collaboration is essential. AI should surface anomalies, gather evidence, highlight contradictions, and broaden the investigative aperture. Humans should interpret nuance, validate findings, challenge outputs, and document the rationale for decisions. Neither viewpoint argues for full automation; both emphasise that judgement cannot be outsourced.
Explainability and transparency are non-negotiable. Compliance teams must be able to trace what the model looked at, how it weighted sources, where uncertainty lies, and which elements require human intervention. Without this, neither internal nor external stakeholders can trust the result.
Governance must adapt to a moving target. Models evolve; regulators evolve; risk landscapes evolve. Organisations need controls, playbooks, and escalation paths that can flex as the technology matures. When models change behaviour across versions – as they often do – compliance functions must detect and respond quickly.
The shared conclusion is clear: AI in third-party risk is powerful, but it must be deployed with structure, literacy, and transparency.
A measured path forward
The future of due diligence is neither purely automated nor stubbornly manual. It is AI-enabled and human-led. AI will increasingly handle the heavy lifting – scanning, summarising, comparing, extracting, and organising. It will become more interactive, more willing to admit uncertainty, and more capable of breaking problems into interpretable steps. Humans will remain accountable for what counts: interpreting risk and making defensible decisions.
Organisations that thrive will not treat AI as a shortcut. They will treat it as a governed capability: informed by curated data, supported by clear oversight, reinforced by explainability, and integrated into existing compliance due diligence frameworks.
This balanced approach not only expands capacity – it strengthens defensibility. And as third-party ecosystems become more complex, that combination of efficiency and assurance will define the next generation of best-practice due diligence systems.