Trust in the AI ecosystem is essential for its effective functioning and economic contribution. Strong internal governance is vital for both individual organisations and the broader ecosystem. Many organisations are outsourcing AI development and deployment to cut costs, enhance efficiency, and adapt to competitive pressures. Outsourcing provides access to new technologies and economies of scale, but management bodies must retain full responsibility for their organisations, ensuring adequate resources, risk oversight, and compliance.

Outsourcing must not reduce an organisation to an “empty shell” lacking the capacity to operate independently. Special attention is required for outsourcing to third-country service providers to ensure compliance with the EU AI Act, particularly regarding transparency, risk classification, and supervisory oversight. Guidelines identify critical functions that impact risk profiles or control frameworks, with stricter requirements for their outsourcing. Competent authorities must supervise outsourcing arrangements, monitor risk concentrations at service providers, and assess their potential impact on AI ecosystem stability. Comprehensive documentation from high-risk AI system users is crucial for this oversight.