Who holds the keys? Navigating legal and privacy governance in third-party AI API access

In today's rapidly evolving artificial intelligence environment, organizations are increasingly relying on third-party application programming interfaces from platforms like OpenAI, Google and Amazon Web Services to embed advanced features into their products. These APIs offer significant benefits, particularly in terms of time and cost savings, by enabling companies to leverage existing technology rather than building solutions from scratch. 

While this approach can speed up deployment and reduce the burden of managing complex infrastructure, it also raises key legal and privacy issues — like how data flows are controlled, who is responsible for data security, and how licensing restrictions are enforced. The situation becomes even more challenging when the procuring organization opts to use its own API keys instead of those provided by the AI feature developer.

Data flow and responsibilities when developers access AI services on behalf of a procuring organization

When developers leverage third‑party AI APIs to build and deliver their own AI features, they often do so using their own licensed API keys to access those services. Prompts — for example, data queries, order‑processing commands, or report generation instructions — are sent from the procuring organization's systems to the developer's platform and then forwarded to the API provider. The provider applies its AI models and returns outputs, which the developer delivers to the procuring organization.