TPRM programs can look “compliant” on paper while quietly failing at the one thing that boards and the C-suite actually care about: reducing material business risk. This panel at the 2025 FAIR Conference cut through the checkbox distractions and offered a pragmatic blueprint for modernizing third-party risk management with quantitative methods, better governance, and AI used in the right places.
Watch the video now:
Modernizing TPRM with AI and FAIR - Panel at FAIRCON25
PANELISTS
Ed Amoroso, Former CISO of AT&T, CEO of TAG Cyber
Matthew Modica, CISO, BJC Health System
Lindsay Baker, Staff Risk & Compliance Engineer (GRC), Instacart
Neema Wasira-Johnson, Founder & CEO, Asili Advisory Group LLC
MODERATOR
Michael Coden, Senior Advisor, BCG
Here are five insights CISOs can take back to their teams:
1) Your “top vendors” intuition is often backwards—the long tail can hurt you faster
A common failure mode: teams pour energy into the obvious “critical” vendors while the broader ecosystem remains lightly assessed, inconsistently monitored, and operationally under-controlled.
“When you do the math, you realize that your instincts are probably wrong about TPRM,” Ed Amoroso said. “It’s that long tail that will eat you much more quickly.”
Why CISOs care: This is a resilience problem, not a paperwork problem. If you don’t have a scalable way to triage and monitor the long tail, you’re building blind spots into the program by design.
2) Translate vendor risk into business outcomes (dollars, downtime, safety)—not colored heatmaps
The panel repeatedly emphasized that executives don’t need more “orange/red/green.” They need consequences, options, and tradeoffs expressed in business language.
“We lead with business outcomes,” Lindsay Baker said. “We don’t lead with risk posture or alarm…We also quantify our impact in dollars and not just scores.”
Matthew Modica gave a particularly pointed example of prioritization from the health industry’s point of view: “Would you rather I report on how many vulnerabilities that a (vendor) company has or that the company supplies 20% of the blood supply to our hospitals.”
Why CISOs care: When TPRM connects to loss exposure, mitigation cost, and operational impact, it stops being compliance theater and becomes a decision system.
3) Give AI the “heavy lift” work—humans keep the judgment and accountability
The panel’s most practical AI guidance was also the simplest: use AI where it accelerates analysis, consistency, and scale—but don’t outsource the actual risk decision.
Instacart uses AI in TPRM to analyze all the SOC reports, the penetration tests, the audit certifications and to scrape a vendor’s public pages for terms of service, etc. and compare all the findings to a baseline of controls. “That way, all our vendors are speaking in the same terms,” Lindsay said.
Why CISOs care: This is the path to scaling coverage without scaling headcount—while still keeping a human accountable for accept/avoid/mitigate decisions.
Lindsay Baker
4) If you use AI, you need monitoring for drift, hallucinations, and traceable evidence
The FAIR Conference panelists weren't starry-eyed on AI. “AI does tend to hallucinate and it will make things up” Lindsay said. Panelists pointed out the predictable failure modes and what governance looks like in practice: digging into citations, spot checks of output, and “babysitting” models.
Why CISOs care: If you’re going to defend decisions to auditors, regulators, customers, or a board, you need provenance and controls around the AI workflow—not just speed.
5) Some vendors won’t cooperate—so plan for “no,” alternative telemetry, and outside-in monitoring
This came up via an audience question: Large vendors may refuse to upload documentation, share reports, or play nicely with your third-party risk management tools. The panel’s answer: treat non-cooperation as a risk signal, exercise leverage where you can, and use alternative data (threat intel, outside-in scans, etc.) when you can’t.
Why CISOs care: vendor transparency is part of trust. When you can’t get it, you need contract leverage, monitoring, and internal controls that reduce exposure anyway.
More tips from the panel:
- Pick a small set of vendors and do your own quantification to pressure-test current rankings.
- Map third parties to critical workflows and dependencies, not just vendor categories.
- Use AI with guardrails: automate evidence review, require citations, sample outputs, monitor drift. “Use AI for sure but please provide governance and oversight,” Neema Wasira-Johnson said. “Don’t trust this thing to tell you what’s going on in your organization, specifically your risk and your mission statement.”
More from the 2025 FAIR Conference (FAIRCON25)
