A Succinct Guide to “AI” in Third-Party Due Diligence

I was interested in an XAPIEN publication that claims to be a definitive guide to future-ready third-party due diligence for those who want to modernise third-party risk management without compromising on speed, accuracy, rigour, or control.

• The guide is in 3 parts, and Part 1 is out now.
• https://tinyurl.com/yc2uf2t4
• Part 1 offers
• A practical framework for adopting AI safely in compliance-grade workflows, covering real-world use cases, risk-based processes, and why explainability is now essential.

The following are Comsure’s key takeaways from part 1

Comsure’s key takeaways of part 1 - Demystifying AI's Role in TPDD and Related Workflows

Key AI Definitions in the guide

• General-Purpose AI (e.g., ChatGPT, Copilot): Probabilistic models for creative tasks; prioritise plausibility over accuracy.
• Purpose-Built AI (e.g., Xapien): Engineered for compliance; uses entity disambiguation and verifiable sources for deterministic, audit-ready outputs.
• Explainability: Trace every finding to a source, ensuring reliability and regulatory defensibility.

This guide:

• Draws on expert insights from
• Leaders at Mintz Group, Fulcrum Diligence, and EY,
• Alongside regulatory analysis from the US DOJ, UK FCA, and EU AI Act,
• A case study to illustrate best practices.
• Is targeted at Chief Compliance Officers, Heads of Risk, and Third-Party Risk Managers, and it demystifies AI's role in
• Third-Party Due Diligence (TPDD),
• SCDD (supply chain scrutiny),
• KYC (client verification), and
• AML (financial crime detection),
• Warns against generic tools while advocating for purpose-built solutions to achieve resilient, future-ready programs.

• Show how AI
• Transforms TPDD by automating data-intensive tasks,
• Enabling faster onboarding,
• Broader coverage, and
• Lower costs while maintaining regulatory confidence.
• Emphasises governance, technology, and operations to manage risks from agents, distributors, partners, and suppliers.
• Reminds us that AI
• Excels in summarisation and triage
• Cannot replace human intuition for cultural context or physical audits.

Meaning of  summarisation and triage

Summarisation

• AI can quickly read large amounts of text—emails, documents, reports, chats—and turn them into short, clear summaries.
• Example:
• Long email thread → short bullet points
• 50-page report → key themes in a paragraph
• Meeting transcript → action points + decisions

Triage

• “Triage” means sorting, prioritising, or categorising information so the most important things get attention first.
• AI can, for example:
• Identify which emails are urgent
• Sort client queries by risk level
• Flag documents needing immediate review
• Categorise cases into “high”, “medium”, or “low” priority

In simple terms

AI is very good at:

• Understanding large amounts of information,
• Condensing it, and
• Telling you what needs attention first.

AI in a Risk-Based Workflow

Adopt a tiered approach matching scrutiny to risk levels (e.g., jurisdiction, industry, contract size).

Pitfalls of Generic Tools and Advocacy for Purpose-Built Solutions

Generic AI (e.g., LLMs) introduces risks incompatible with compliance-grade due diligence, as Emily Morgan, Xapien's Global Partnerships Director, notes:

• "General-purpose LLMs are brilliant at conversation, but... in due diligence, that's a risk you can't take."

Key Pitfalls of Generic AI

• Hallucinations: Fabricates plausible but false info, e.g., misleading red flags.
• Black-Box Opacity: Lacks traceable logic, failing DOJ's ECCP (2024) requirements for oversight.
• Inconsistency: Variable outputs undermine equitable risk assessment.
• Data Limitations: Relies on OSINT; risks security breaches and ignores premium sources like corporate records.
• Regulatory Non-Compliance: Cannot meet explainability standards under FCA (2025) or EU AI Act (high-risk systems need human oversight, data governance).

In contrast, purpose-built platforms like Xapien address these:

• Accuracy & Reliability: Entity disambiguation avoids false positives; live sources ensure comprehensiveness.
• Compliance-Grade Features: Fully cited reports, audit trails, and API integrations for seamless workflows.
• Data Security: Custom retention, vetted suppliers exclude customer data from training.
• Scalability: Enterprise tools like multi-user controls and governance meet DOJ/ERM integration.

Expert Russell Corn, CEO of Fulcrum Diligence, emphasises:

• "Transparency and auditability are now baseline regulatory expectations. Black-box tools don’t meet that test."

Regulatory Analysis: Global Expectations

• Regulators demand governed AI without exemptions:
• US DOJ ECCP (2024): Integrate AI into ERM; ensure monitoring, human baselines, and trustworthiness.
• UK FCA (2025): Principles-based; apply existing frameworks for flexibility and outcomes.
• EU AI Act: Risk-based; high-risk TPDD tools require oversight, transparency, and record-keeping.
• Implications: Document controls, test outputs, and prove defensibility. As Yehia Mokhtar of Mintz Group warns: "Accountability doesn't disappear just because a machine is involved."

Build vs Partner Decision

• Build: For organisations with in-house expertise and funding, it offers customisation but high maintenance.
• Partner: Faster, shared accountability; ideal for most. Select based on transparency, maturity, integration, governance, and flexible contracts (per EY's Nicola Mollat: "Cut through the buzzwords. Don't buy the promise, buy the outcome.").

Roadmap for AI Adoption

1. Identify Purpose: Solve specific issues like triage speed.
2. Map Value: Target data-heavy tasks, not judgment calls.
3. Govern: Document oversight tied to regulations.
4. Partner Wisely: Prioritise reliable, transparent vendors.
5. Adopt Practically: Train teams, integrate workflows.

Conclusion

• Uncompromised due diligence means using AI responsibly—avoiding generic pitfalls with purpose-built solutions that deliver traceable, scalable insights.

Source

• https://tinyurl.com/yc2uf2t4