Your Firm Is Probably An AI Deployer, Not A User. That Changes Who Is Liable.
By Gabriel Tan | June 2026
An account director in Singapore is in a client meeting when the AI question comes up, as it now always does. “We just use it as a tool,” she says, and the room nods, and everyone moves on. The sentence felt safe. Under the standards and the law now taking shape, it described a position the speaker does not actually hold, and the gap between the two is where liability lives.
ISO/IEC 22989, the international standard that sets the vocabulary for AI, and the EU Artificial Intelligence Act both assign defined roles to the parties around an AI system. The role you hold decides the duty you carry. “Just a user” is not the neutral, low-stakes category most people in PR assume it is.
Three roles, and the one most agencies get wrong
The standards separate the parties so that responsibility has somewhere to land. Three roles matter for a communications firm.
The provider is the party that builds the system or changes it in a substantial way. For most agencies, that is the model company, not you.
The deployer is the party using the system under its own authority in a professional setting. An agency running an AI tool inside its workflow to produce client work is, in almost every case, a deployer. This is the role firms miss, because “deployer” sounds industrial and “we just type prompts” sounds harmless.
The affected person is whoever the output lands on. For your work, that includes a client's investors reading an AI-drafted announcement and members of the public seeing AI-altered media.
The trap is the assumption that using a tool someone else built makes you a passive user with no duties. The standards do not see it that way. A deployer who puts AI output into the world under its own name carries obligations regardless of who wrote the model.
Why the label is not pedantry
Roles decide who answers when something goes wrong. If an AI-generated figure in a client release turns out to be false, “the tool got it wrong” is not a defence a deployer gets to use. The deployer chose the tool, pointed it at the task, and published the result.
This matters more as the EU AI Act's duties land in stages. Obligations for general-purpose AI models have applied since 2 August 2025, and transparency duties follow in August 2026. The duties travel along the chain of roles. Knowing which role you hold tells you which duties are even pointed at you.
What to do this week
This is a fifteen-minute exercise that changes how you read everything else.
List your three most-used AI tools. For each, write down which role your firm holds: provider, deployer, or neither. You will write deployer most times. Fifteen minutes.
For each tool where you are the deployer, note the one control that proves you exercised oversight: a senior read, a source check, a data rule. Fifteen minutes.
If you cannot name the control, you have found the gap in your agency workflow before a client did.
The label is not paperwork and it is not a lawyer's hobby. It decides who is standing there when the output is wrong, and most agencies have quietly assumed they are standing somewhere they are not. Find out which role you actually hold before a client's bad week makes the question urgent.
Gabriel Tan is the founder of Mekong Bridge Advisory. He builds structured execution systems for PR and communications firms.
