A conversation I watched happen at a fintech conference:

Founder: "We use an AI credit scoring tool from a vendor. We didn't build it. So the compliance obligations are on them, right?"

Consultant: "Are you modifying the model in any way?"

Founder: "No. Well — we trained it on our own data. But we didn't change the actual model."

Consultant: [takes a very deep breath]

The basics are simple. Provider — you built it (or paid someone to build it) and you sell it or make it available. Deployer — you bought or licensed it and you're using it. OpenAI is a provider. A bank using GPT-4 in customer service is a deployer.

Except it almost never stays that simple.

The five ways you accidentally become a provider

1. You put your name on it

White-label an AI system under your brand? You're now a provider. Full stop.

2. You make a substantial modification

Training a model on your own data can constitute a substantial modification — especially if it changes the system's behaviour beyond what the original provider designed for.

3. You change the intended purpose

A vendor sells a generic document summarisation tool (not high-risk). You use it to classify legal contracts for automated financial decisions (high-risk). You've just assumed provider obligations.

4. You integrate it as a safety component

Use an AI system as a safety component in a product covered by EU product safety legislation — provider obligations apply.

5. You're a GPAI provider whose model gets used downstream

Foundation model providers have specific obligations around documentation and cooperation, even when another company builds the high-risk system on top.

What providers must do

Risk management system, data governance, technical documentation, automatic logging, transparency, human oversight design, accuracy and robustness, quality management, conformity assessment, EU database registration, CE marking, corrective action, and authority cooperation.

What deployers must do

Use the system per the provider's instructions, ensure competent human oversight, monitor operations, keep logs, carry out fundamental rights impact assessments where required, and inform people when they're subject to high-risk AI decisions.

The nightmare scenario

An enterprise buys an AI HR tool, rebrands it internally, fine-tunes it on their own data, and starts using it for performance evaluation instead of just hiring. They've tripped three reclassification triggers. They're now a provider with provider obligations — and almost certainly don't know it.

If you're not sure whether you're a provider or a deployer, that's the danger zone. Get clarity now, before enforcement begins.