AI usage and third-party risk

AI is quickly becoming a core part of how third parties operate, from customer support and data analysis to product development and decision-making. That rapid adoption is introducing new risks TPRM teams are still learning how to assess, including unclear data usage, limited transparency into AI models, and evolving regulatory expectations.

At the same time, TPRM teams are exploring AI themselves to help scale vendor reviews, reduce manual effort, and keep pace with growing vendor ecosystems. This section highlights how organizations are grappling with AI-driven third-party risk and how far TPRM programs have progressed in adopting AI-powered tools to manage it.

• AI is already being used in core TPRM functions like sourcing and planning (46% adoption in an EY survey), and its role in due diligence and contract monitoring is expected to grow significantly over the next two years. (EY)
• While AI is one of the top investment themes for risk teams heading into 2026., fewer than one in seven TPRM teams (13%) has fully matured automation capabilities. (EY)
• 23% of organizations do not monitor vendor AI usage, down from 37% in 2024. Vendor AI risk is now a top emerging concern in TPRM programs. (Venminder)
• 54% of organizations say their top goal in investigating AI for TPRM is to speed up questionnaire completion by automatically completing responses using existing questionnaires and available evidence. (Prevalent)
• While over 50% of respondents are not currently using AI in risk monitoring, more than half acknowledge the need to monitor for AI-related risks, indicating a growing awareness of technology's impact on risk management. (Supply Wisdom)
• AI-driven assessment augmentation is a top modernization priority for TPRM teams in 2026. (Whistic)

Best practices in TPRM

With evolving risks and regulations, organizations must create adaptable TPRM strategies. This section highlights the latest best practices in third-party risk management, offering insights into how leading companies are navigating today’s challenges and mitigating risk.

• 86% of organizations have a defined set of criteria to identify their critical vendors. (Venminder)
• 99% of organizations say vendor experience is important during assessments. (Whistic)
• The top three challenges organizations are facing regarding TPRM are getting the right documents from vendors (48%); lack of internal resources (36%); and time management (27%). (Venminder)
• Only 48%  of organizations have exit strategies or contingency plans for high-risk third parties, leaving more than half unprepared. (EY)
• 45% of survey respondents are increasing the diversity of their suppliers to meet ESG goals. (EY)
• 23% of survey respondents said if a key supplier did not meet their ESG requirements, they would stop working with that supplier. (EY)
• 23% of companies say cyber threat and vulnerability risk mitigation is lacking from their risk monitoring program.  (Supply Wisdom)
• 89% of TPRM programs assess non-cyber risks or will soon begin doing so. Privacy was cited as the most-common non-cyber risk factor considered within the scope of TPRM programs (85% of respondents). Other factors include operational risk (65%), financial ratings (64%), regulatory sanctions (61%), environmental and social governance (47%), and geopolitical risk (39%). (RiskRecon)

Third-party risk assessment trends

Knowing your third-party risks is one thing; assessing them properly is another. How often are companies assessing their partners? What factors are they prioritizing, and what challenges do they face? This section covers the most up-to-date statistics on third-party risk assessments, giving you insight into the methods and frequency companies are using to stay ahead of potential threats.

• 75% of organizations use customized security questionnaires, down slightly from 79%. (Whistic)
• 83% use a centralized vendor document exchange to reduce assessment friction, and 88% leverage security ratings as part of assessments. (Whistic)
• 74% accept previously completed standards such as SIG, ISO, and CAIQ in place of new questionnaires. (Whistic)
• Nearly 50% of the companies surveyed do not rank their vendors and third-party providers by risk level at all. (Supply Wisdom)
• Only 36% of respondents say that before starting a business relationship that requires the sharing of sensitive or confidential information their company evaluates the security and privacy practices of all vendors. (RiskRecon and Ponemon Institute)
• Respondents reported assessing or monitoring only 33% of their vendors. (Prevalent)

• About half (47%) of respondents say they do not conduct evaluations because of third parties’ requirement to comply with data protection regulations (RiskRecon and Ponemon Institute)
• Only 29% of companies remediate risks found during the vendor sourcing and selection stage. (Prevalent)
• 49% of organizations report their current method for assessing third-party risk is not able to assess risk at every stage of the vendor lifecycle. 51% say their current method is not able to deliver the automation and reporting necessary to efficiently demonstrate compliance. (Prevalent)
• 66% of the respondents have formal processes in place to assess residual risk. However, the remaining 34% either don’t have an established process or are uncertain about residual risk in the context of third-party risk management. (Venminder)
• 51%  of organizations maintain an integrated resiliency plan for critical third parties, 47% conduct integrated resiliency testing, and 45% perform scenario analysis. (EY)
• Only 44% of respondents say their organizations conduct audits and assessments of third-party data handling practices (RiskRecon and Ponemon Institute)

Vendor security questionnaire usage

Vendor security questionnaires remain a foundational tool for evaluating third-party risk, but how are organizations using them in 2026? In this section, we break down the current trends in questionnaire usage.

• Security questionnaires are the most popular method of assessing third-party risk, with 84% of respondents using them. (RiskRecon)
• Questionnaires are the primary assessment bottleneck within TPRM programs, and organizations are increasingly supplementing questionnaires with external data sources. (Whistic)
• Up to 75% of vendors either do not answer security questionnaires or fail to do so in a timely manner. (Viso Trust)
• 35% of TPRM programs include at least 100 questions in their vendor questionnaires.  (RiskRecon)
• 57% of TPRM programs use custom security questionnaires, versus just 18% that use an industry standard such as a SIG questionnaire. 42% use a modified industry standard. (RiskRecon)
• Only 4% of respondents say they’re highly confident that vendors are actually meeting security requirements based on their questionnaire responses. (RiskRecon)

• 52% of companies say it takes 31-60 days to perform control assessments of third parties. 38% say it takes 61-90 days, while just 8% can perform control assessments within 7-30 days. (EY)
• 77% of organizations send between 101 and 350 questions on third-party control assessments. (EY)

Ongoing third-party risk monitoring

Monitoring your vendors isn’t a one-time task; it requires constant monitoring. In this section, we look at the importance of ongoing third-party risk monitoring and the ways companies are keeping an eye on vendor risks over time to ensure partners remain secure and compliant.

• Annual or quarterly assessments are no longer sufficient to detect active threats, according to breach intelligence analysis. (SecurityScorecard)
• Only 32% of respondents say their organization maintains a comprehensive inventory of third-parties with whom it shares sensitive information. 61% of respondents say their organization does not have such an inventory, and 6% are unsure. (RiskRecon and Ponemon Institute)
• Nearly 90% of companies track risks from the sourcing and selection phases, but fewer than 80% track service-level agreements (SLAs) and offboarding risks later in the relationship lifecycle. (Prevalent)
• 50% of survey respondents say their companies do not monitor the security and privacy practices of vendors with whom they share sensitive or confidential information, or they are unsure. The primary reason for not monitoring is confidence in the third party’s ability to secure information (49%). (RiskRecon and Ponemon Institute)
• Of the 50% of respondents that say their companies do monitor the security and privacy practices of third parties to ensure the adequacy of these practices, 53% do so via random tests or spot checks. (RiskRecon and Ponemon Institute)
• 28% of organizations review and re-assess vendor risk on an annual basis. (Venminder)

Nth party and downstream risk trends

It’s not just about who you directly work with—your third parties have their own network of vendors and partners. These "Nth party" or downstream risks can create ripple effects for your business. Here, we’ll take a look at the statistics surrounding Nth party risks, highlighting how far the chain of risk extends and why it’s a growing concern in 2026.

• Fourth-party breaches now account for 4.5% of all breaches, creating cascading downstream failures. (SecurityScorecard)
• 12.7% of third-party breaches extended into fourth-party incidents. (SecurityScorecard)
• 59% of organizations currently examine and assess their vendors’ third-party risk management practices to manage fourth-party risk. (Venminder)
• Only 10% of organizations conduct direct risk assessments of fourth parties. 27% do not assess or monitor fourth parties at all. (Venminder)
• Only 39% of survey respondents say their third parties’ data safeguards and security policies and procedures are sufficient to respond effectively to a data breach and only 40% say they are sufficient to prevent a data breach. (RiskRecon and Ponemon Institute)
• Only 36% of respondents say their organizations are notified when third parties share their information with Nth parties with whom they have no direct relationship. (RiskRecon and Ponemon Institute)
• Only 29% of respondents say their organizations have visibility into Nth parties that have access to sensitive and confidential information. Of this 29%, 56%say this visibility is due to reliance upon contractual agreements and 53% of respondents say they trust the third party to notify their organizations when their data is shared with their Nth parties. (RiskRecon and Ponemon Institute)
• More than half of respondents say they are relying upon the third party to notify their organization when data is shared with Nth parties. (RiskRecon and Ponemon Institute)
• Of organizations that experienced a third-party data breach, 38% say the breach was caused by an Nth party, indicating the flaws in third-party security controls in place for Nth parties. (RiskRecon and Ponemon Institute)
• North American companies use fewer third-party & Nth party vendors than European companies. 47% of European companies report vendors in as many as 49 countries, compared to 22% of North American companies who said the same. (Supply Wisdom)
• Foreign subsidiaries are twice as likely to be breach sources as domestic ones. (SecurityScorecard)

TPRM tools and technology adoption

Managing third-party risk is a complex task, but the right tools and technologies can make it significantly easier. This section breaks down the numbers on how organizations are leveraging automation, artificial intelligence, and other solutions to improve their TPRM processes and stay on top of an evolving risk landscape.

• 64% of organizations now use a dedicated TPRM software platform, up 19% year over year. 12% of organizations still rely primarily on spreadsheets for vendor risk management. (Venminder)
• Organizations using automation report greater assessment throughput without added headcount. (Whistic)
• 45% of TPRM leaders stated that continued investment in technology, automation, and data for TPRM is important. (Deloitte)
• 77% of respondents now rely on software with vendor management features and functionality to streamline the management of vendor risk. (Venminder)
• Only 14% of procurement and 13% of supplier management professionals report using continuous monitoring tools to assess suppliers. (Supply Wisdom)