Most boards now ask how their organisation is using AI. Fewer ask a harder question: what happens if the model they depend on changes its terms, its price, or its availability?
That second question is not about technology. It is about concentration risk, and boards already know how to think about it.
A familiar discipline, applied to an unfamiliar supplier
When a single supplier becomes critical to operations, governance asks the obvious things. How exposed are we? What is our alternative? How quickly could we switch, and at what cost? A board would not let a sole supplier of a core input sit unexamined.
AI dependency deserves the same scrutiny. Yet it often escapes it, because it does not arrive looking like a supplier relationship. It arrives as a productivity tool, adopted team by team, well below the altitude at which procurement and risk usually operate. By the time it is material, it is rarely on the register.
This is no longer hypothetical
In February 2026, GitHub deprecated several AI models across its Copilot tool, including models from more than one major provider. Organisations using those models had not chosen the timing, and continuity depended on alternatives being available and enabled.
What matters to a board is what the event demonstrates: the availability of an AI model is now a supplier-managed variable. A capability staff rely on can change on the provider’s schedule, not the organisation’s. This is ordinary now, not exceptional.
The risk regulators are already naming
The bodies whose job is systemic risk have reached the same conclusion. The Financial Stability Board, which coordinates financial regulation internationally, identified provider concentration as an AI-related vulnerability in 2024. It noted the market for these services is highly concentrated, exposing institutions to disruption if a key provider fails. In January 2026, the United Kingdom’s Treasury Select Committee went further, recommending that major AI and cloud providers be designated as critical third parties to the financial system.
Those frameworks belong to the financial sector, not to most organisations. Whether or not such expectations extend beyond regulated sectors, the direction of travel is clear: provider concentration is increasingly treated as a governance issue, not a purely technical one.
Neither measure reaches a training provider, a council, or a trust. That is precisely the point. The value in asking now is that the question arrives before an obligation does, while there is still room to answer it calmly.
There is a second concern in that work worth carrying across. The risk is not only operational dependence. It is behavioural dependence. When many organisations rely on the same model, their decisions can start to converge. The question becomes not only whether you can keep operating, but whether you are reaching the same conclusion as everyone else, because you are all leaning on the same source.
Price is one symptom, not the diagnosis
Pricing moves too, and not in one direction. In May 2026, one major provider offered free usage to draw enterprises away from a competitor. The same week, that competitor announced that some usage previously covered by subscriptions would move to separate billing.
So the terms loosened in one place and tightened in another, at the same time, between the same two providers. That is the point. The direction is not predictable. An organisation with no alternative has no position whichever way the terms move.
Substitutability is the real question
Beneath price, availability, and correlation sits one question. Could the organisation continue to operate if its primary model became unavailable, unaffordable, or unsuitable? For many, the honest answer is that they do not know. That uncertainty is itself the finding.
Smaller organisations carry this most acutely. They have the least room to maintain an alternative, and the least slack to absorb a sudden change in terms. Unlike larger organisations, they often lack the dedicated procurement, architecture, or risk functions that would naturally examine these dependencies. The convenience that makes AI valuable to a small team is the same convenience that quietly removes its options.
What this asks of a board
None of this means a board should manage the dependency. Knowing which models are enabled in which tool is a management function, and a board that reaches for that detail has descended into operations.
The board’s role sits one level up. It is to assure itself that the dependency is seen and owned. Three questions are enough to test that:
Has management identified where the organisation depends on a single AI provider? The board does not need the register. It needs confidence that one exists, and that someone owns it. An answer that names no one is the finding.
Does that dependency appear in our risk reporting, or is it absent because it accumulated below the level anyone reports on? An exposure invisible to oversight is the real governance gap.
If a critical provider changed its terms or withdrew a capability, does management have a response, and have we been told what it is? A response that exists only in conversation is not yet a control.
What governed dependency looks like
A board does not need a checklist. It needs a sense of what strong governance looks like, so it can judge where its own organisation sits.
In an organisation that has governed this well, three things are true. The dependency is visible: someone can say which functions rely on which provider, without scrambling to find out. The dependency is owned: a named person, not a diffuse “the team”, is responsible for monitoring it and responding when terms change. And the response is real: if a provider withdrew a capability or changed its price, there is a tested answer, not an intention to work something out.
Most organisations will find they have none of the three, and that is not a failing. The dependency accumulated faster than the governance around it. The useful first step is to ask management for an honest account of where the organisation stands against those three tests. “We are not sure” is a legitimate and important answer, not one to be tidied away.
That account, returned honestly, tells a board most of what it needs to know. Not whether the organisation is exposed, because every organisation is, but whether the exposure is seen, owned, and answerable. That is the difference between a risk that is governed and one that is merely present.
Has your board had that account?