AI Governance Starts With Knowing Who You're Doing Business With — And in Most of Asia, You Can't

Every serious AI governance framework starts with the same principle. NIST AI RMF calls it "Know Your AI Supply Chain." ISO 42001 requires vendor risk assessment. COSO GenAI mandates third-party due diligence. The FAIG framework I built for enterprise AI governance makes it a Tier 1 control.

They all assume the same thing: that you can verify who you're doing business with.

In the United States, that assumption is largely correct. Arrest records are public. Court records are public. Conviction records are public. A background check on a US-based founder returns something meaningful.

In most of Southeast Asia — the Philippines, India, Bangladesh, Thailand, Vietnam, Indonesia — that assumption is wrong. Dangerously, systematically, legally wrong.

And it is not just an enterprise procurement problem. It reaches all the way into the homes of American veterans who are handing their most sensitive personal and medical information to AI-powered claims companies right now — every day — without any idea who is on the other end.

"The person running the AI startup you just contracted could be a convicted fraudster. A background check will reveal nothing. Not because the system failed — because the system worked exactly as designed. Just not for you."

The three-tier problem — from enterprise to veteran

This is not a single problem. It is three connected problems operating simultaneously at different levels — each one making the next harder to see and harder to fix.

Tier 1 — The company you hired directly

Whether it is a claims assistance company or a US enterprise hiring an AI vendor — the founders and owners of that company may have criminal histories in jurisdictions where background checks legally cannot surface them. No disclosure requirement exists. No mandatory verification is required. The AI boom has made this dramatically worse — low barriers to entry, fast corporate registration, and constant new verticals give serial operators endless fresh starts.

Tier 2 — The AI platform the company runs

Many companies built or licensed their own AI platforms. You have no visibility into how those platforms were built, what data trained them, who has access to outputs, or whether the company's AI is processing your data through subcontractors you have never heard of. No disclosure is required at this level either.

Tier 3 — The offshore AI processor

The company you hired may outsource its AI processing to a startup in Manila, Bangalore, or Dhaka. That startup's founder may have three active fraud cases pending in local courts — cases that will not appear on any background check for another decade. Your data has now passed through three hands and you authorized all of it — without knowing any of it.

The AI startup in SE Asia is the latest and most sophisticated version of a problem that has existed across every industry for years. What is new is the scale. What is new is the speed. What is new is that AI makes data exploitation exponentially more valuable — and exponentially harder to detect after the fact.

The appeals gap — why background checks are legally blind

In most Southeast Asian jurisdictions, a criminal conviction is not considered final — and therefore not publicly disclosable — until every level of appeal has been exhausted. This is not unique to Asia. What is unique to emerging market Asia is how long that process takes and how deliberately it can be extended.

The Appeals Timeline — What "Pending" Actually Means

Philippines: A criminal case from filing to final Supreme Court resolution can take 10-20 years. The Sandiganbayan — the Philippines anti-corruption court — has cases pending from the 1990s still unresolved. During this entire period: conviction not final. Background check shows clean.

India: Sessions Court criminal cases average 5-15 years. High Court appeals add years. Supreme Court appeals can take decades. India's court system carries a documented backlog of approximately 50 million pending cases.

Bangladesh / Thailand / Vietnam / Indonesia: Similar timelines. Similar legal structures. Same gap between charge and final conviction. Same clean background check result throughout.

The result: A founder charged with fraud in 2018 — actively in court proceedings — passes your background check in 2026 with a clean result. Legally. Correctly. Unavoidably clean.

The mechanism used to extend this: Demurrer to evidence. Motion for reconsideration. Petition for certiorari. Petition for review. Motion for new trial. Each step is legally valid. Each step adds months to years. Each step keeps the conviction from becoming final. Each step keeps the background check clean.

The appeal process was designed to protect the innocent from wrongful conviction. That is a legitimate and important protection. But in jurisdictions with chronic court backlogs, that same protection becomes a tool sophisticated fraudsters exploit deliberately. The system has never been reformed to close this gap.

"The background check came back clean. It will come back clean every time until the Supreme Court rules — which may be 2031. The framework told you to verify your vendor. Nobody told you verification has a legal ceiling."

The serial operator playbook

Commit fraud — fintech, BPO, data services, e-commerce

First company. Investor fraud, client fraud, data theft, financial misrepresentation. Company collapses or is dissolved under pressure.

↓

Get charged — case enters the court system

Charges filed. Lawyers engaged. First motion filed immediately. Clock starts — but it runs very slowly by design.

↓

File every available motion to delay final conviction

Each motion legally valid. Each adds months to years. Conviction stays pending. Background check stays clean indefinitely.

↓

Register new company — different name, same founder, new vertical

The AI boom provides endless new verticals. Healthcare AI. Claims automation. Data analytics. Financial AI. Fast, cheap corporate registration in Philippines SEC, India MCA, Thailand DBD.

↓

Pass the background check — legally, correctly, every time

US company runs standard background check. Returns clean. No convictions. No red flags. Will not change until Supreme Court rules — perhaps 2031.

↓

Access US client data — repeat with next company when this one collapses

Contract signed. Data shared. Sensitive US information processed by someone with an active fraud case the client will never know about. Process repeats.

Why the AI boom makes this dramatically worse

The director history signal — the tool most US companies never use

In the Philippines SEC and India MCA databases, you can search all companies a person has served as a director of. This is public information. It costs almost nothing. Almost no US companies do it.

A founder with four previous companies — all dissolved, all struck off, all inactive within three years of incorporation — is a major red flag that no standard background check will ever surface. This director history pattern is the fingerprint of a serial operator.

A clean personal background combined with a pattern of dissolved companies tells you almost everything you need to know. One without the other is an incomplete picture.

The country-by-country reality

Philippines

NBI Clearance — the gold standard that is not

National Bureau of Investigation clearance covers final convictions only. Pending appeals — which can span decades — are not disclosed. Physical court records are accessible via local lawyers. Data Privacy Act limits processing personal data without consent.

India

50 million pending cases — no national database

No comprehensive national criminal database accessible publicly. Records largely paper-based at local police stations. MCA21 director history search is valuable and underused. IT Act requires consent for sensitive data processing.

Bangladesh

RTI exists — enforcement does not

Right to Information framework exists but gaps in public criminal disclosure are significant. Court backlogs comparable to Philippines and India. Same appeals gap applies. Limited international due diligence infrastructure.

Thailand

PDPA restricts data — criminal checks limited

Thailand's Personal Data Protection Act restricts data processing. Criminal checks via Royal Thai Police have limited scope. Same appeals structure applies. Growing AI sector with limited regulatory infrastructure for foreign vendor screening.

What AI governance frameworks say — and what they miss

The framework gap — what NIST, ISO, and COSO do not tell you

NIST AI RMF: "Organizations should understand the provenance of AI systems and components." Does not address jurisdictions where provenance verification is legally constrained by appeal processes.

ISO 42001: Requires supplier evaluation and monitoring. Does not address criminal record inaccessibility in appeal-pending jurisdictions or the serial operator pattern enabled by slow court systems.

COSO GenAI: Mandates third-party risk management. Does not address the structural gap between "passed background check" and "actually clean" in emerging market AI.

The gap: Every framework assumes verification is possible. In emerging market AI — for the most critical data point — it often legally is not. This needs to be named explicitly and addressed through layered controls that acknowledge the ceiling honestly.

What you can actually do — and what you cannot

What due diligence CAN reveal

Director history across all associated companies
Corporate registration status — active, dissolved, struck off
Sanctions and PEP screening — OFAC, World-Check, Refinitiv
Adverse media — local language press, social media, news archives
Tax compliance status — BIR Philippines, India GST, local equivalents
Financial stability — audited statements, bank references
Client references — actual verified clients not website testimonials
Technical audit — SOC 2, ISO 27001, data security practices
Beneficial ownership — who actually controls the entity
Local court inquiry — pending cases via local lawyer
Cyber insurance verification — carrier, limits, coverage scope

What due diligence CANNOT reveal

Convictions pending appeal — legally sealed until final
Criminal history across jurisdictions — no cross-border database
Nominee ownership structures — beneficial owner may be hidden
Subcontractor chain — who your vendor passes your data to
Data residency after handoff — where data actually goes
Prior company failures under different corporate names
Informal fraud history not yet formally charged
Whether bonding is actually enforceable in local jurisdiction

Can a local firm help?

What local due diligence firms can access that US firms cannot

Physical court records: A local lawyer in Manila can walk into the Regional Trial Court and check pending case dockets. This surfaces active criminal proceedings that will never appear on an NBI clearance.

Community intelligence: The Philippines is a relationship economy. The BPO and tech community in Metro Manila is smaller than it looks. A well-connected local firm knows which founders moved from one failed company to the next. Reputation travels informally but effectively.

SEC and BIR access: Philippine SEC filings and BIR tax compliance status are accessible locally, quickly, and inexpensively. Director history searches take hours not weeks.

Anti-corruption network connections: Firms with PACC and NBI connections can surface patterns that never appear in public records — not by accessing sealed information, but by understanding which names are known to which investigators.

The critical limitation: The local firm itself must be vetted. A compromised local due diligence firm gives you a clean report on a fraudster for a fee. This happens. Require verifiable references. Verify independently. Never rely on a single source for high-risk vendor decisions.

Insurance, bonding, and contract protections — the honest checklist

When verification has a ceiling, contracts and insurance become your primary risk mitigation tools. Here is what a properly structured emerging market AI vendor agreement requires.

Insurance requirements — what to require at contract signing

Errors and omissions (E&O) coverage: Minimum limits specified in the contract — not whatever the vendor happens to carry. Require a US-based or internationally recognized carrier. A local carrier with no US enforcement capability provides limited protection when you actually need it.

Cyber liability and data breach insurance: Critical for any AI handling PII, medical records, financial data, or military information. Require coverage for breach notification costs, regulatory fines, and third-party liability. Verify the policy explicitly covers offshore data processing.

Commercial general liability: Standard requirement. Verify it covers operations in the US as well as the vendor's home jurisdiction.

Proof requirements: Certificate of insurance at contract signing. Annual renewal confirmation. Direct notification to you if policy lapses or is cancelled. Do not accept verbal assurances.

The bonding reality in emerging markets

Performance bonds and fidelity bonds are standard risk mitigation tools in the US. In most SE Asian jurisdictions, they are either unavailable from reputable carriers, prohibitively expensive for startups, or effectively unenforceable when you need to collect.

This is itself a governance finding. A vendor who cannot provide bonding in a jurisdiction where it is genuinely unavailable is not necessarily a red flag. A vendor who claims to be bonded without a credible carrier and enforceable terms — that is a red flag. Require documentation. Verify the carrier. Understand what bonded means in the specific jurisdiction before relying on it as a risk control.

Representations and warranties on criminal history. Vendor warrants that no founder, director, or key employee has been convicted of fraud, financial crime, or data-related offenses in any jurisdiction — whether or not pending appeal. Breach triggers immediate termination for cause and indemnification obligations.
Data processing agreement with residency requirements. Specifies where data is processed, who can access it, and prohibits subcontracting without prior written consent. Requires breach notification within 24 hours. Specifies data destruction or return at contract termination.
Audit rights — broad and unconditional. Your right to audit the vendor's security practices, data handling, and subcontractor relationships at any time with reasonable notice. Non-negotiable for any engagement involving sensitive data. A vendor who refuses audit rights is telling you something important.
Subcontractor disclosure and approval. Vendor must disclose all subcontractors handling your data and obtain written approval before engaging them. The chain of custody of your data must be visible and documented at all times.
Jurisdiction and governing law — specify US or neutral arbitration. Specify US federal law or neutral international arbitration such as AAA or ICC — not local jurisdiction. Philippine courts enforcing contracts against Philippine companies on Philippine timelines is not the position you want to be in when resolving a data breach. Vendors frequently push back on this clause. Hold it.
Termination for cause — define it broadly. Any adverse finding — criminal charge, regulatory action, media disclosure of fraud, insolvency, ownership change — triggers your right to terminate immediately without penalty and with immediate data return. Define adverse finding explicitly and broadly. Do not narrow this clause under negotiation pressure.
Ongoing monitoring obligation. Not a one-time check at onboarding. Require the vendor to notify you of any legal proceedings, regulatory inquiries, ownership changes, or key personnel departures within 30 days. Build in annual re-verification requirements.
FCPA compliance representation. Required for US-listed companies engaging vendors in high-risk jurisdictions. Vendor represents compliance with US Foreign Corrupt Practices Act requirements. Requires annual certification. Protects the US company from downstream liability and demonstrates governance intent to regulators.

The veteran data connection

What veterans do not know about their data

Veterans hand over their most sensitive personal information — DD214, C-File, PTSD diagnoses, medical records, Social Security numbers — in response to advertising that promises AI-powered results at no upfront cost.

There is no mandatory background check requirement to operate a non-accredited VA claims assistance business in the United States. There is no disclosure requirement for owner criminal history. There is no requirement to disclose whether data is processed by offshore AI platforms, which countries those platforms operate in, or who owns and controls them.

VA Form 21-0845 — the authorization to disclose personal information to a third party — authorizes the company to access your VA records. It does not require disclosure of offshore processing. It does not require disclosure of subcontractor AI platforms. It does not require disclosure of the founder's pending criminal proceedings in another jurisdiction.

The same serial operator problem that exists in emerging market AI exists in the US non-accredited claims space. The same lack of mandatory verification. The same information asymmetry. The same veteran left not knowing who actually touched their most sensitive data.

Monte Fisher handles every veteran analysis personally. No offshore processing of veteran data. No third-party AI platform handling C-File information. No subcontractors. One CPA. One veteran. No handoffs. The forensic analysis stays with the person who signed the engagement.

The honest bottom line

You will never eliminate this risk entirely. The appeals gap is a structural feature of emerging market legal systems that no due diligence process can fully bridge. Anyone who tells you otherwise is selling you false certainty.

What you can do is build a risk-based framework that acknowledges the ceiling honestly and layers every available control below that ceiling. Director history searches. Local court inquiries. Adverse media screening. Beneficial ownership verification. Proper insurance with verified carriers. Strong contract protections with US or neutral jurisdiction. Subcontractor disclosure. Pilot projects before scale. Ongoing monitoring. And an honest conversation with your board about the residual risk that no amount of diligence can eliminate.

"Document your diligence. Acknowledge the ceiling. Build the controls below it. Be honest with your board about what remains. That is defensible governance. Everything else is theater."

FAIG — Fisher AI Governance Framework

Build a vendor governance framework that reflects reality

Monte provides AI governance assessments that address emerging market vendor risk honestly — including the verification ceiling most frameworks ignore. Written deliverable. No vendor agenda. Based in Makati, Philippines — with firsthand knowledge of the legal and corporate landscape that most consultants have only read about.

FAIG Assessment → WhatsApp Monte →

vcanalytics@pm.me · +63 917 798 1959 · Makati, Philippines · Available worldwide

Monte Fisher

CPA (Ret.) · CFE · Lean Six Sigma Green Belt

Former GRC Manager at a major global energy company. Certified Fraud Examiner with direct experience in anti-corruption operations in the Philippines. Founder of VCAnalytics.ai and the Fisher AI Governance (FAIG) framework. Based in Makati, Philippines — with firsthand knowledge of the corporate and legal landscape that most AI governance consultants have only read about. WhatsApp: +63 917 798 1959

Sources and References NIST AI Risk Management Framework (AI RMF 1.0) — vendor risk provisions
ISO/IEC 42001:2023 — AI Management System supplier evaluation requirements
COSO Guidance on Internal Control over Generative AI — third-party risk
Philippines Data Privacy Act of 2012 (Republic Act 10173)
Philippines NBI Clearance procedures — National Bureau of Investigation
Philippines SEC — corporate registration and director history database
India IT Act and SPDI Rules — sensitive personal data processing
India MCA21 — director history and company registration database
Thailand Personal Data Protection Act (PDPA) B.E. 2562
Philippines Supreme Court — Annual Report on court backlog statistics
India Supreme Court — Pending cases data, National Judicial Data Grid
OFAC Sanctions List — US Treasury Office of Foreign Assets Control
VA Form 21-0845 — Authorization to Disclose Personal Information to a Third Party
US Foreign Corrupt Practices Act (FCPA) — 15 U.S.C. sections 78dd-1 et seq.

Disclaimer: This article is provided for informational and educational purposes only. Nothing in this article constitutes legal advice. Specific due diligence requirements vary by jurisdiction, industry, and risk profile. Consult qualified legal counsel in the relevant jurisdictions before making vendor engagement decisions. References to legal systems and court processes are based on publicly available information and general legal knowledge — not specific legal opinions about any individual case or jurisdiction.

AI Governance Starts With KnowingWho You're Doing Business With.In Most of Asia, You Can't.