Artificial intelligence often appears frictionless. A prompt goes in. An answer comes out. A report is summarized. A risk score is generated. A customer interaction is automated. A compliance analyst receives a faster answer. A business process becomes more efficient. Yet there is nothing frictionless about AI.
Behind every AI tool sits a human supply chain. Some workers label data, moderate content, train models, build infrastructure, mine minerals, assemble devices, maintain data centers, write code, manage vendors, and absorb the consequences when automation changes the nature of work. There are third parties, subcontractors, cloud providers, data brokers, model developers, implementation consultants, and business users. There are people whose labor, data, dignity, and livelihoods may be affected long before the board ever sees an AI dashboard. Now we turn to the human supply chain of AI: workforce transformation, third-party risk, and modern slavery.
The Magnifica Humanitas Lesson: AI Is Never Disembodied
Magnifica Humanitas makes a powerful point for compliance professionals: AI is not immaterial or magical. Pope Leo states, “Nothing in the world of AI is immaterial or magical.” That is a moral statement, but it is also a governance statement. The Encyclical explains that AI depends on natural resources, energy infrastructure, digital platforms, and human labor, including data labeling, model training, content moderation, and the extraction of materials needed for devices and microprocessors (Magnifica Humanitas, ¶173).
That is a direct compliance lesson. The risk does not begin when the company deploys an AI tool. The risk begins when the company selects the vendor, approves the use case, provides data, accepts contractual terms, relies on outputs, and fails to ask who and what sits behind the technology. The Encyclical is equally direct that digital systems can amplify hidden forms of exploitation and that supply chains supporting the technology industry should become transparent so competitive advantage is not built on hidden exploitation (Magnifica Humanitas, ¶179).
The document also speaks directly to work. It teaches that work is not simply an instrument, but a setting in which people develop, contribute, cooperate, support their families, and build together (Magnifica Humanitas, ¶148-149). It warns that AI can improve productivity while also de-skilling workers, subjecting them to automated surveillance, forcing them to adapt to the pace of machines, and eroding their agency (Magnifica Humanitas, ¶150). For the CCO, this means AI governance is not only about model risk. It is also about people’s risk.
From Encyclical Principle to Corporate Governance Requirement
The bridge from Magnifica Humanitas to corporate governance is straightforward. Pope Leo calls for human-centred technology, social criteria for innovation, verifiable measures to protect employment, retraining, worker participation, and a corporate commitment to include the quality and dignity of work among the indicators of success (Magnifica Humanitas, ¶156). In corporate governance language, that means AI adoption should include workforce impact assessment, role-based training, human review, bias testing, privacy controls, speak-up protections, and board reporting.
The Encyclical also calls for preventive ethical verification, or due diligence, across the digital economy, with priority given to worker protection, the fight against forced labor, and assessment of the social impact of data-driven business models (Magnifica Humanitas, ¶179). For compliance professionals, that is third-party risk management. It means vendor due diligence, subcontractor transparency, audit rights, data provenance, labor standards, modern slavery review, incident reporting, and ongoing monitoring.
This is where the moral language of Magnifica Humanitas becomes the operating language of compliance. Human dignity becomes human rights due diligence. Shared responsibility becomes cross-functional governance. Transparency becomes supply chain visibility. Accountability includes naming owners, documentation, monitoring, testing, challenge, and remediation.
Workforce Transformation Is a Compliance Issue
AI will change work. That is not speculation. It is already changing how employees draft, analyze, monitor, investigate, review, report, and decide. The question is whether companies will manage this transformation with governance, transparency, and care, or allow automation to wash through the workforce as a cost-reduction exercise.
Compliance should not attempt to own a workforce strategy. That belongs with management, HR, legal, finance, and business leadership. But compliance should have a voice because workforce transformation creates culture risk, speak-up risk, retaliation risk, discrimination risk, privacy risk, monitoring risk, and internal controls risk. The Encyclical warns that innovation pursued solely for cost reduction and profit can produce job insecurity, inequality, and social instability (Magnifica Humanitas, ¶151).
A company using AI to evaluate employees, monitor productivity, screen applicants, assess performance, recommend discipline, or allocate opportunities should ask hard questions. What data is being used? Has the tool been tested for bias? Are employees informed? Can individuals challenge errors? Is human review required? Are managers trained not to over-rely on AI outputs? Is the tool increasing fairness, or simply making questionable decisions faster?
AI adoption should also include change management. Employees need training on approved AI use, prohibited data inputs, required human review, and escalation of concerns. They also need assurance that raising concerns about AI will not be punished. The DOJ’s Evaluation of Corporate Compliance Programs (ECCP) asks whether companies train employees on emerging technologies such as AI and whether companies have controls to monitor AI trustworthiness, reliability, intended use, human decision-making, and accountability. That is not only a technology expectation. It is a cultural expectation.
Third-Party AI Risk Is Not Ordinary Vendor Risk
AI vendors are not ordinary vendors when they touch sensitive data, influence consequential decisions, support compliance processes, provide core infrastructure, or rely on opaque subcontracting chains. A company may believe it is buying software. In reality, it may be acquiring a new decision system, a new data processor, a new compliance dependency, and a new supply chain exposure.
Magnifica Humanitas warns that major economic and technological actors can exercise de facto power over data, expertise, access, visibility, and opportunity. It calls for transparency, accountability, meaningful participation, independent checks, algorithmic transparency, equitable data access, and avenues for recourse (Magnifica Humanitas, ¶71-72). For the CCO, that is a vendor governance mandate.
The ECCP already provides the compliance architecture. A well-designed compliance program should apply risk-based due diligence to third-party relationships, understand the business rationale, assess the risks posed, include appropriate contract terms, monitor third parties through updated due diligence, training, audits, and certifications, and use data to evaluate vendor risk during the relationship. Apply that directly to AI vendors.
The company should know what the AI tool does, what data it uses, whether company data will train or improve the model, where data is stored, who has access, what subcontractors are involved, whether outputs are explainable, what human review is required, how incidents are reported, and whether the vendor can support audit rights. The company should also ask whether the vendor uses third parties for data labeling, content moderation, model evaluation, or technical support, and what labor standards apply to those providers.
An AI vendor questionnaire should not stop at cybersecurity and privacy. It should cover human rights, labor standards, modern slavery risk, data provenance, subcontractor transparency, model governance, incident reporting, auditability, and exit rights.
Modern Slavery Risk in the AI Supply Chain
The risk of modern slavery may seem far removed from enterprise AI adoption. It is not. Magnifica Humanitas challenges that assumption by reminding us that the digital economy depends on physical infrastructure, extracted resources, hidden labor, and vulnerable workers. It specifically identifies data labeling, model training, content moderation, resource extraction, and trafficking-enabled misuse of digital platforms as part of the moral challenge of AI (Magnifica Humanitas, ¶173).
For compliance professionals, the lesson is straightforward. AI supply chain risk should be folded into third-party risk management and human rights due diligence. The company should not assume that because an AI provider has a sophisticated interface, the underlying chain is clean. Procurement and compliance should ask who performs outsourced labeling, testing, moderation, data enrichment, and support work. They should assess whether workers are paid fairly, protected from exposure to harmful content, free from coercion, and supported by appropriate safeguards.
This is especially important where vendors rely on lower-cost labor markets, opaque subcontracting, high-volume content review, or resource extraction. The issue is not whether every AI vendor is high risk. The issue is whether the company has a defensible process to identify which vendors, services, geographies, and labor practices require enhanced review.
The Encyclical makes this corporate obligation unusually concrete: supply chains underpinning the technology industry and digital economy should become more transparent; companies and investors should adopt clear due diligence criteria; and digital platforms should cooperate to prevent communication, payment, and profiling tools from becoming channels for recruitment and control of victims (Magnifica Humanitas, ¶179). A modern AI third-party program should therefore include labor and human rights due diligence at onboarding, contractual commitments, audit rights, subcontractor approval rights, certifications, incident reporting, and ongoing monitoring.
Frameworks for Governing the Human Supply Chain
NIST and ISO/IEC provide a practical structure for this work. NIST’s Generative AI Profile calls for acceptable use policies that address proprietary and open-source AI technologies, data, contractors, consultants, and other third-party personnel. It also identifies the need to document generative AI value-chain risks, plan for failures or incidents involving third-party data or systems, and continuously monitor third-party AI systems in deployment.
ISO/IEC 42001 provides a management-system approach for organizations that develop, provide, or use AI-based products or services. It supplies the governance discipline compliance professionals understand: policy, roles, risk assessment, controls, monitoring, performance evaluation, corrective action, and continual improvement.
COSO adds the internal controls discipline. COSO’s GenAI guidance emphasizes that generative AI is moving into operations and boardrooms faster than traditional governance models anticipated, and that risks such as cyber exposure, prompt manipulation, opaque reasoning, model drift, and configuration changes can jeopardize operations, reporting, and compliance if not addressed through robust internal controls.
Together, these frameworks point to the same conclusion. AI supply chain governance must be documented, controlled, monitored, tested, and improved.
Board Oversight: The Human Cost Must Be Visible
Boards do not need to manage AI vendors. They do need to oversee the systems management used to identify, assess, monitor, and remediate material AI risks. Under Caremark principles, directors must make a good-faith effort to oversee company operations. The board’s obligation is not technical mastery. It is a reporting and monitoring system that shows management has responded to the Encyclical’s accountability and due diligence mandate.
For AI, the board should ask whether management has visibility into the human supply chain. Which AI vendors are critical? Which tools affect employees, customers, suppliers, or compliance decisions? Which vendors use subcontractors? Which AI tools rely on sensitive data? What labor and human rights risks have been identified? What workforce impacts are expected? What retraining is planned? What AI-related incidents have occurred? What open remediation items remain?
Magnifica Humanitas closes this portion of its analysis with a shared responsibility principle: innovation must be guided by institutions, businesses, intermediary organizations, educational communities, and citizens so that it serves integral human development rather than becoming a source of exclusion and dominance (Magnifica Humanitas, ¶180-181). The board failure will not be that the directors did not understand every model parameter. The failure would be failing to ask whether management has a reasonable system to govern AI’s human, third-party, and supply chain impacts.
5 Lessons for the CCO
- Map the human supply chain. The company should know the vendors, subcontractors, data sources, infrastructure providers, and outsourced labor that support material AI tools.
- Treat high-impact AI vendors as high-risk third parties. AI vendors that touch sensitive data, support consequential decisions, or affect compliance processes require enhanced due diligence, contractual protections, and ongoing monitoring.
- Build human rights and modern slavery risk into AI due diligence. Vendor reviews should address labor practices, subcontractors, content moderation, data labeling, resource extraction, worker protections, and geographic risk.
- Govern workforce transformation. AI adoption should include training, retraining, human review, transparency, privacy protections, bias testing, and speak-up channels for employee concerns.
- Report evidence to the board. Boards need visibility into AI vendor risk, workforce impact, supply chain exposure, incidents, remediation, and control testing.
Conclusion: From Babel to Responsible Reconstruction
The AI age will reward companies that innovate. But it will also test whether those companies can govern innovation with discipline, transparency, responsibility, and human primacy. The lesson of Magnifica Humanitas is that AI must remain at the service of the human person. That includes the employee whose job is changing, the worker hidden in the supply chain, the community affected by resource extraction, the customer subject to an automated decision, and the board charged with oversight.
This five-part series began with the Tower of Babel and the boardroom. Babel was power without humility. Nehemiah was rebuilding with responsibility. For the modern compliance professional, that is the AI governance choice. Pope Leo frames the alternative as progress that serves people or progress that subjects them to the mentality of power (Magnifica Humanitas, ¶129). We can allow AI to grow through hidden use, opaque vendors, weak controls, synthetic trust, and invisible human cost. Or we can build an AI governance program grounded in risk assessment, controls, accountability, transparency, human review, third-party diligence, workforce care, and board reporting.
The next step is to convert these five lessons into a practical board-ready AI governance checklist. That checklist should give directors, CCOs, general counsel, audit leaders, risk leaders, and CEOs a structured way to ask the right questions, demand the right evidence, and govern AI before AI governs the enterprise.
