Transforming Third-Party Risk Management for the AI Era

Organizations Must Evolve Third-Party Risk Oversight as Vendors Rapidly Embed AI

Organizations face an unprecedented challenge as artificial intelligence rapidly transforms their third-party ecosystems. While companies focus intently on their internal AI initiatives, many overlook how extensively their vendors, subcontractors, and service providers are embedding AI into core services—from cloud platforms to SaaS tools to outsourced operations. This blind spot creates significant risk exposure at a time when the external risk environment has never been more volatile.

The Rapidly Evolving Third-Party Landscape

The confluence of pandemic disruptions, geopolitical conflicts, and climate change has fundamentally altered how organizations must approach third-party risk. Today’s interconnected, nonlinear risks accelerate faster than traditional risk management frameworks can adapt. The IMF estimates that losses from cyberattacks have more than doubled since the pandemic and quadrupled since 2017—with much of this exposure coming through third-party relationships.

Operational risk has emerged as the top concern, with 57% of organizations now citing it as their primary consideration when monitoring subcontractors, a significant jump from 40% just two years ago. Meanwhile, the sheer volume and complexity of third-party relationships continue to expand exponentially.

Organizations citing operational risk as their primary consideration when monitoring subcontractors

Financial services firms that once managed one or two risk verticals focused on third parties now oversee twenty or more. Healthcare organizations rely on vendors for everything from telemedicine platforms to electronic health records, while enterprises across sectors depend on specialized providers for human resources, business intelligence, and supply chain logistics.

Many vendors are embedding AI into their products without full visibility or understanding from their customers. Service providers leverage AI to enhance delivery, often without clients’ explicit awareness. Traditional oversight mechanisms like SOC 2 reports and generalized risk questionnaires lack the specificity needed to assess how vendors use AI, what data they rely on, and whether adequate controls exist. These existing tools weren’t built to address challenges like model training transparency, bias mitigation, or data lineage controls.

From Reactive Gatekeeper to Proactive Enabler

The future of third-party risk management lies in fundamental transformation—replacing annual or biennial assessments with 24/7 real-time monitoring based on sophisticated market sensing across multiple data streams. Organizations are beginning to envision AI-powered centralized control towers where predictive analytics continuously update risk likelihood, and AI agents work directly with counterparts at suppliers to draft remediation plans for human review.

This transformation is already underway through increased centralization. Currently, 57% of organizations use centralized, enterprise-wide TPRM programs, recognizing that a centralized approach allows them to connect dots across verticals and see the complete risk picture. For instance, a third party might score highly on cybersecurity controls while simultaneously facing financial distress that would jeopardize its ability to maintain those controls—a connection that siloed approaches would miss.

Organizations with centralized TPRM structures demonstrate greater maturity in critical areas: third-party inventory (58% centralized vs. 39% hybrid), risk models (51% vs. 36%), assessment methodology (49% vs. 33%), and governance oversight (43% vs. 29%). These centralized functions report improved user experience (56%), increased understanding of risks during decision-making (52%), and enhanced data completeness and accuracy (51%).

Managing AI-Specific Third-Party Risks

To gain visibility into vendor AI usage, some organizations deploy tools that analyze DNS traffic and web data to flag potential generative AI use—identifying vendors linked to “.ai” domains or known AI providers. However, many still rely on manual outreach, creating friction and delays in vendor onboarding. Without updated controls and AI-specific visibility, enterprises risk falling out of compliance with emerging regulations and stakeholder expectations.

The integration of AI across the vendor landscape requires organizations to fundamentally rethink their risk assessment practices. AI models used by third parties can process sensitive data, automate decisions with wide-ranging impacts, and introduce dependencies that are difficult to audit or govern. Yet the benefits are equally significant, as vendors use AI to deliver new capabilities and efficiencies that can transform business operations.

Effective governance requires revisiting vendor contracts to mandate disclosure when AI is used in service delivery. Organizations must scrutinize whether third parties use organizational data to train AI models, requiring clear documentation of data-handling practices, consent mechanisms, and limitations on data reuse. Enhanced due diligence should push vendors to provide transparency on model development, privacy safeguards, bias mitigation, and auditability—potentially through AI-focused addenda to SOC 2 reports or independent attestations.

Building AI-Ready Risk Management Capabilities

AI adoption in TPRM remains relatively low, with only 13% of companies achieving optimized technology and automation maturity. Most functions deploy AI at minimal scale, using basic capabilities like optical character recognition rather than exploring transformative applications. Yet organizations express strong ambition to scale adoption, with 31% identifying AI/ML capabilities for enhanced due diligence as their top investment priority.

The symbiotic relationship between centralization and AI can accelerate transformation. Centralized data harmonization—a key prerequisite for AI—helps overcome data readiness barriers. Conversely, AI provides TPRM managers with capabilities to monitor real-time data across the enterprise and third-party ecosystem. The new generation of AI models, including agentic, multimodal, and self-improving AI, promises breakthrough capabilities that could fundamentally change the value proposition.

Organizations can unlock immediate value by standardizing on preferred, pre-vetted providers whose AI practices align with responsible AI standards. While complete standardization may be unrealistic, identifying and pre-vetting the small group of vendors representing the majority of third-party usage reduces assessment burden and enables focus on strategic integration. This approach supports economies of scale in training and tooling while aligning TPRM platforms with source-to-pay, contract lifecycle management, and vendor intelligence systems.

Critical Actions for Risk Leaders

Focus on the Enterprise

Understanding obligations at an enterprise level—regulations, board imperatives, investor requirements—and how these translate to third-party risks is essential. Organizations must look beyond specific risks to understand how their ecosystem of third parties impacts overall business objectives. This requires a "risk steward" approach that prioritizes requirements across organizational silos and drives connected, proactive management.

Invest in AI Readiness

Bridging the gap between current capabilities and future ambitions requires thorough assessment of existing processes, tools, and data management practices. This includes improving data quality, standardizing formats, implementing governance, and preparing the workforce through training and upskilling. Currently, about 43% of organizations use multiple questionnaires for different risk domains, sending third parties an average of 55 questionnaires—clear opportunities for AI-driven streamlining.

Enhance Risk-Tiering Frameworks

Modified risk scoring must account for AI use cases, prioritizing due diligence based on the type of AI deployed, data sensitivity, and potential business impact of failures or misuse. Organizations should incorporate targeted questions about AI model design, training data sources, risk controls, explainability, and monitoring processes during assessments.

Preparing for Tipping Points

Technology history shows repeated examples of sudden tipping points that transform entire industries. The COVID pandemic demonstrated how quickly TPRM components could change when remote work eliminated onsite audits, forcing organizations to embrace technology at scale. We may be approaching similar tipping points for AI adoption in TPRM.

As the number and complexity of third-party relationships swell, the friction and cost of manual assessments change the economics of AI adoption. Organizations conducting thousands rather than hundreds of assessments have increased financial incentive to invest in AI and expanded scale to recoup investments. The emergence of Centers of Excellence can provide strategic oversight and institutional coordination, streamlining governance requirements while developing consistent protocols.

Organizations must stay ahead of evolving regulations like the EU AI Act, ensuring third-party practices align with regional and sector-specific requirements. When companies cracked down during control assessments, 87% now escalate enterprise processes for non-responsive vendors (up from 70%), while 29% cease operations entirely (up from 17%).

When risks are identified, 57% choose remediation paths, compared to only 17% previously.

Is your third-party risk framework ready for the AI revolution?

Learn how to adapt your vendor management strategies for AI-powered suppliers and emerging risks.

Learn more