The FAIR Institute Blog

Your Vendors Are Now Thinking

Written by Nick Sanna and Alexander Antukh | Apr 15, 2026 6:06:19 PM

Why Third-Party Risk Has Entered the AI Era

Understanding the Generations of Third-Party Risk Management

 

Cyber Risk Has Moved Beyond Your Perimeter

For CISOs and cyber risk leaders, third-party risk is no longer a governance exercise—it is an operational reality that directly impacts security posture, business resilience, and decision-making.

Authors: 

Nick Sanna
President, SAFE Security | Founder, FAIR Institute

Alexander Antukh
CISO, Aboitiz Power | Board Member, FAIR Institute

 

Today’s enterprise is not just interconnected—it is interdependent. Your environment now includes:

  • Vendors with direct access to sensitive data
  • Service providers embedded into critical workflows
  • Platforms influencing operational continuity
  • And increasingly, AI systems interacting with enterprise data and decisions

The rapid adoption of generative AI platforms such as ChatGPT, Claude, and Gemini has fundamentally changed the nature of third-party risk.

These are not static vendors. They are dynamic systems that:

  • Continuously learn and evolve
  • Process sensitive enterprise data in real time
  • Influence decisions, automation, and outputs
  • Introduce new categories of risk: data leakage, model behavior, and systemic dependency

As a result, the core question for cyber leaders has shifted:

Not: “Are our vendors compliant?”
But: “Do we have continuous control over the risk introduced by our extended—and increasingly AI-driven—ecosystem?”

Answering that requires rethinking how third-party risk management (TPRM) actually works.

Click for larger image

 

The Five Generations of Third-Party Risk Management

TPRM has evolved through five generations. Most organizations operate across multiple generations simultaneously—creating fragmentation and limiting effectiveness.

 

Generation 1: Manual, Compliance-Driven Oversight

The starting point for most programs.

Characteristics:

  • Spreadsheets and email-based questionnaires
  • Periodic vendor reviews
  • Audit-driven processes

CISO reality:
You can demonstrate diligence—but not control.

This model answers: “Did we check the box?”
It does not answer: “Are we exposed right now?”

 

Generation 2: Workflow Automation

To scale operations, organizations moved into GRC-based platforms.

Characteristics:

  • Centralized vendor inventories
  • Standardized workflows
  • Automated questionnaire distribution

CISO reality:
Efficiency improves—but risk understanding does not.

You have better process visibility, but still lack:

  • Real-time insight
  • Business impact context
  • Actionable prioritization

 

Generation 3: Continuous Monitoring

The shift toward external signals and real-time data.

Characteristics:

  • Security ratings
  • External scanning and telemetry
  • Alert-based monitoring

CISO reality:
You now have more data than ever—but not necessarily better decisions.

You are managing:

  • Noise instead of signal
  • Alerts instead of outcomes

Key problem: Without linking signals to business impact, you cannot prioritize effectively.

 

Generation 4: Risk-Based and Quantified TPRM

A major step forward—introducing business context.

Characteristics:

  • Scenario-based risk modeling
  • Financial impact estimation
  • Alignment with enterprise risk frameworks

CISO reality:
For the first time, you can:

  • Translate cyber risk into business terms
  • Prioritize based on materiality
  • Engage executives with credibility

But limitations remain:

  • Assessments are still periodic
  • Data is often manually aggregated
  • AI vendor risk is not fully addressed

 

Generation 5: Autonomous, Continuous Risk Management

This is where TPRM becomes operationally aligned with how risk actually behaves.

Characteristics:

  • Continuous ingestion of internal and third-party data
  • Real-time risk evaluation and prioritization
  • Automated assessment and remediation workflows
  • Persistent alignment to business impact

And critically for the AI era:

  • Configuration awareness (How AI systems are set up)
  • Data awareness (What data is being shared)
  • Activity awareness (Prompts, outputs, logs, usage patterns)

CISO reality:
This is the first model that allows you to:

  • Keep pace with dynamic risk
  • Scale without linear headcount growth
  • Move from reactive to proactive control
  • Operationalize risk-based decision-making

 

Why This Shift Is Now Urgent

For cyber leaders, this evolution is not theoretical—it is driven by four hard realities:

 

1. Scale Has Broken Traditional Models

You are no longer managing dozens of vendors—but thousands.

And now:

  • Every team is adopting AI tools
  • Many are unsanctioned or poorly governed

Manual and periodic models simply cannot keep up.

 

2. Risk Moves Faster Than Your Processes

Risk is no longer episodic. It changes continuously through:

  • Vulnerabilities
  • Misconfigurations
  • Threat activity
  • AI model behavior

If your assessments are point-in-time, your understanding is outdated the moment it’s produced.

 

3. AI Vendor Risk Is a New Class of Exposure

AI introduces risks that traditional TPRM was never designed to handle:

  • Sensitive data leakage through prompts and APIs
  • Lack of transparency into model decision logic
  • Outputs influencing critical business decisions
  • Continuous evolution of model behavior

Unlike traditional vendors, AI systems are:

Persistent, adaptive risk surfaces

Which means:

Your risk management must be equally continuous and adaptive.

 

4. Expectations Have Changed

CISOs are now expected to:

  • Quantify cyber risk in business terms
  • Demonstrate continuous oversight
  • Govern AI-related risks explicitly
  • Support faster, defensible decision-making

This is no longer about reporting—it is about operating risk management as a core business function.

 

Key Questions Cyber Leaders Must Now Answer

To operate effectively in this new environment, CISOs and risk leaders should be able to answer:

Visibility
Do we have a real-time, enterprise-wide view of third-party risk—including AI usage?

Materiality
Can we quantify the business impact of our most critical vendor and AI dependencies?

AI Risk Exposure
Where are AI systems embedded in our workflows—and what risks do they introduce?

Data Governance
What data is being shared with AI vendors—and how is it controlled?

Continuous Control
Are we monitoring configuration, behavior, and usage—not just compliance?

Scalability
Can we scale risk management alongside vendor growth and AI adoption—without scaling cost and complexity?

 

The Real Shift: From Managing Vendors to Operating Risk

At its core, the evolution of TPRM reflects a deeper transformation in cybersecurity:

  • From manual → automated
  • From periodic → continuous
  • From reactive → proactive
  • From process → outcomes
  • From vendor-centric → ecosystem-aware

For CISOs, this is not just a tooling shift—it is an operating model shift.

 

Closing Perspective

Third-party risk is no longer a supporting function. It is a primary driver of enterprise risk exposure.

The rise of AI has accelerated this transformation:

  • AI vendors are now embedded in core workflows
  • They influence decisions, data flows, and automation
  • They introduce new, systemic forms of risk

Traditional TPRM approaches were not built for this reality.

Going forward, the defining capability of leading cyber organizations will be:

The ability to continuously understand, quantify, and manage risk across an extended, AI-driven ecosystem.

The question for CISOs is no longer whether third-party risk is important.

It is:

Are we operating a model that can keep up with how risk actually behaves today?

 

Interact with your professional peers in redefining cyber risk management. Join us with a FAIR Institute Individual   Membership




 
View full post