1.3M+BPO employees in the Philippines
78%Of PH BPOs now using AI tools
<15%Have documented AI governance
$38BPH BPO revenue at risk from US client scrutiny

The Layoffs Are Happening. The Governance Isn't.

The headlines in 2025 and 2026 have been about BPO layoffs driven by AI automation. What's not making headlines is the compliance gap those deployments are creating. Philippine BPOs are replacing repetitive tasks with AI tools — document processing, customer service bots, data entry automation, transcription — at extraordinary speed. Most are doing it without asking the questions their US clients will inevitably ask.

I spent years as the Governance Risk and Assurance Manager for Shell's North American retail operations. I introduced the risk-based assurance review process that identified deep-dive audits across Shell's retail network. The discipline I applied there — identify the risk, design the control, test it, document it, report it — is exactly what Philippine BPOs need for AI right now.

The BPOs that survive the next wave of US client scrutiny will not be the ones with the most AI. They will be the ones who can prove they govern it.

Who this article is for

BPO compliance managers, operations directors, IT heads, and managing directors at Philippine BPOs serving US clients in healthcare, financial services, legal, and customer service. If your US clients send you data — patient records, financial information, legal documents, customer PII — this article is for you.

Why This Is Urgent Right Now

US companies are beginning to add AI governance requirements to their vendor contracts and annual audits. This is not a future trend — it is happening now in 2026. Driven by:

Your US client's legal team or procurement department may not have sent you a formal AI governance questionnaire yet. They will. The BPOs with documented frameworks will answer it in an afternoon. The ones without will scramble — or quietly lose the renewal.

The 3 Questions Your US Client Will Ask

Based on what US enterprise procurement teams are now requiring from offshore vendors, here are the three questions that will determine whether you keep or lose US contracts in the next 12-24 months.

1 Question 1 of 3
"What AI tools are you using to process our data — and where does that data go?"
Most BPOs can answer the first part — they can name the AI tools they're using. Almost none can answer the second part with specificity. When you use an AI tool to process a US client's documents, that data doesn't just go to the AI vendor. It goes to their sub-processors — the cloud providers, model hosts, and third-party services the AI vendor uses. Your US client's data may be passing through 5-8 different organizations before it comes back as an AI output. Do you know who they are?
What you need to be able to show

A data flow map for each AI tool you use — what data enters, which vendor receives it, who their sub-processors are, where the data is stored, and whether it is used for model training.

2 Question 2 of 3
"What controls do you have to ensure our data isn't used to train AI models?"
Many AI tools — particularly free or low-cost tiers of popular AI platforms — use customer data to improve their models by default. The enterprise tiers typically have data processing agreements that prevent this. If your BPO is using standard-tier AI tools to process US client data, there is a meaningful probability that data is being used for model training without your client's knowledge or consent. For healthcare data, this is a potential HIPAA violation. For financial data, it may violate your client's data processing agreement with you.
What you need to be able to show

Data processing agreements (DPAs) with every AI vendor that touches client data — explicitly stating that client data is not used for model training, including breach notification timelines, and specifying data deletion procedures when the contract ends.

3 Question 3 of 3
"If your AI system makes an error or causes a breach — what is your response process and who is accountable?"
This is the question most BPOs are least prepared to answer. When an AI tool produces a wrong output that gets sent to a customer, or when an AI vendor suffers a breach affecting your client's data, your client needs to know that someone is accountable, that you have a documented response process, and that they will be notified within a defined timeframe. "We'll deal with it when it happens" is not an acceptable answer in 2026.
What you need to be able to show

A documented AI incident response procedure — who is notified, in what timeframe, what steps are taken, and how the client is kept informed. A clear one-page procedure with defined roles and timelines is sufficient for most US client audits.

The Shell Assurance Framework Applied to BPO AI

As Shell's Governance Risk and Assurance Manager for North America, I introduced a risk-based assurance review process across Shell's retail network. The methodology was straightforward: identify what could go wrong, design a control to prevent it, test that the control works, document the result, and report to leadership.

That exact methodology — applied to AI governance — produces the documentation your US clients are starting to require.

The GRA framework for AI — four steps

1. Identify: Map every AI tool in use, what data it touches, and where that data goes.

2. Control: Put data processing agreements, access controls, and human oversight checkpoints in place for every identified risk.

3. Test: Verify the controls work — test the incident response procedure, verify the DPAs are signed, confirm sub-processor lists are current.

4. Document and report: Produce a governance summary you can hand to your US client's procurement team with confidence.

What Happens to BPOs That Don't Do This

The scenario plays out in one of two ways. In the better scenario, your US client sends a vendor questionnaire about AI governance before renewal. You can't answer it adequately. The renewal is delayed, renegotiated at lower rates, or lost entirely to a competitor who has documentation.

In the worse scenario, an AI tool you're using suffers a data incident involving your US client's data. You have no documented response procedure, no DPA specifying notification timelines, and no audit trail showing you exercised due diligence. Your client terminates the contract and pursues damages.

The competitive reality

BPOs in India, Eastern Europe, and Latin America are already building AI governance frameworks specifically to win and retain US contracts. Philippine BPOs that move first on governance documentation will have a genuine competitive advantage. Those that wait until US clients start asking will be playing catch-up — and some will lose contracts in the process.

How to Get Started — This Week

You don't need to build a complete ISO 42001-certified AI management system this month. You need to be able to answer those three questions at your next US client audit. Here is the minimum viable governance framework for a Philippine BPO in 2026:

Is your BPO ready for the audit?

Take the free FAIG assessment — 15 questions, 5 minutes, no signup. Or message Monte directly to discuss your specific situation and what governance documentation you need before your next US client renewal.

Free FAIG Assessment → Message Monte · WhatsApp

Free assessment · No upfront fees · Independent advice · Based in Makati

Related reading

Frameworks
NIST AI RMF and COSO for Philippine Business Leaders — Plain English Guide
Read article → Free Tool
Free FAIG Assessment — Is Your Organization Ready for AI?
Take assessment → AI Series · Article 1
AI-Driven Fleet Optimization 2026
Read article →
Disclaimer: This article is for educational purposes only. Not legal advice. Statistics are industry estimates. Always consult qualified legal and compliance professionals for your specific situation.