Table of Contents
According to the Ncontracts 2026 State of Third-Party Risk Management Survey, AI vendor risk has tied cybersecurity as the top third-party concern among financial institutions.
That alone is a significant data point. But the finding that really caught my attention was this: 72% of respondents said they only have a partial picture of which vendors are actually using AI. And not a single organization reported feeling extremely confident in its ability to manage AI-related vendor risk.
I’ll be honest: I’m skeptical of the 28% who think they have the full picture, too.
The short answer: Most organizations cannot manage AI vendor risk because their third-party risk management fundamentals are not in place. Weak coordination between the business and TPRM, programs focused on process instead of risk, and incomplete vendor data make AI visibility unreliable. Managing AI third-party risk starts with fixing those fundamentals.
To me, this data doesn’t just highlight a gap in AI oversight. It points to something more fundamental about how most third-party risk management (TPRM) programs operate. Here’s what I mean.
Why the 72% Is Actually Worse Than It Looks
The visibility gap around which vendors are using AI is real, but it is more complicated than it appears on the surface.
Part of the problem is definitional. Many vendors can’t answer the question accurately because things are moving so fast they don’t even know. AI is increasingly embedded in the components, sub-processors, and third-party models (your fourth parties) that sit underneath the products and platforms your vendors sell you. Their own engineering team may not have full visibility into every layer of their stack. So it’s hard to know whether the answers they provide are even accurate. The security world has a name for part of this problem: shadow AI. And it lives in your supply chain too.
But the deeper issue is that poor AI visibility is really a symptom of broader governance failures that have existed in TPRM programs long before AI became a concern. The coordination between the business and TPRM is still a mess. The focus remains on process management rather than actual risk management. And there is no reliable single source of truth on third parties. These are not new problems. AI is just making them harder to ignore.
The Governance Problem Behind the Data
When I look at data like this, the same governance problems show up every time. Even if every vendor could give you a perfect answer tomorrow, most programs would still struggle in these three areas.
Cross-Functional Coordination
Business units are onboarding vendors, renewing contracts, and expanding scope with existing vendors, and TPRM does not always know about it. This is not unique to AI vendors. It is a chronic coordination gap that affects the entire vendor population. And coordination alone is not enough. Accountability matters too.
TPRM functions are often in the difficult position of trying to identify risks tied to vendor relationships they do not control. Without clear accountability from business owners for the vendors they manage, TPRM is often left monitoring risk it has no ability to influence.
Risk vs. Process Management
When TPRM teams are managing hundreds of vendor relationships with lean staffing, process becomes the focus by necessity. Assessments get completed, documentation gets filed, and the program keeps moving. But completing activities is not the same as managing risk.
AI introduces an entirely new risk domain that needs to be deliberately defined and integrated into the program from the ground up: from establishing a risk appetite for AI-related exposure (the NIST AI Risk Management Framework is a useful anchor here), to working it into inherent risk scoring, to knowing what to look for in due diligence and how to handle risk acceptance when the answers are incomplete. That kind of integration takes more than new questions. It takes a better strategy.
Master Data Management
Before an organization can answer “which of our vendors are using AI,” it has to first be able to answer a more basic question: do we have a complete and accurate picture of all the vendors we are working with?
In most organizations, vendor data lives across multiple systems (procurement, contracts, risk, finance) and the picture is rarely complete. Vendors slip through the cracks, relationships expand without being formally tracked, and what looks like a vendor inventory is often more of a partial list. Fixing the AI visibility problem starts with fixing the data foundation underneath it.
Getting Serious About the Fundamentals
More AI-specific questions on a vendor assessment will not fix any of this. Neither will a new technology platform, at least not on its own. What actually fixes this is getting serious about the fundamentals that support a well-functioning TPRM program.
That starts with clear roles, responsibilities, and governance structure. Everyone involved in a vendor relationship (the business owner, procurement, legal, information security, and TPRM) needs to understand what they are accountable for and when. Without that clarity, no one owns the question of which vendors are using AI, which means no one is positioned to answer it.
We see this play out in real engagements. At a pharmaceutical company we work with, the ask was to help select new vendor management technology and project manage the implementation. In a follow-up conversation, their team raised something bigger: they had an AI bot in the mix, and they wanted to think through what it should be doing, what needed governance, and where human judgment still had to sit. That question did not surface through an assessment. It surfaced because the right folks were finally in the same room.
Getting there also requires an operating model that supports cross-functional collaboration rather than working around it. AI-related vendor risk does not surface through TPRM alone; it surfaces when the business and TPRM are operating from the same playbook. That kind of engagement does not happen organically. It has to be designed into how the program operates.
And it requires a deliberate shift in mindset from process completion to risk management. AI is not just a new set of questions to add to an assessment. It is a new risk domain that needs to be defined, prioritized, and integrated into how your program makes decisions, from risk appetite to due diligence to risk acceptance.
Final Thoughts
The survey data is a useful snapshot, but the real story is underneath it. When not a single organization feels extremely confident managing AI-related vendor risk, the answer is not to add more questions to an assessment. It is to step back, look honestly at the fundamentals, and rework the program so it is actually structured to manage risk.
The organizations that close that gap will be the ones that do the foundational work to know their vendor population, engage their business partners, and run a program oriented around managing risk rather than simply documenting it.
FAQ: AI Third-Party Risk Management
What is AI vendor risk?
AI vendor risk is the exposure an organization takes on when its third parties use artificial intelligence to deliver products or services. That includes AI embedded in vendor platforms, third-party models running underneath them, and sub-processors using AI without disclosure. It spans data privacy, accuracy, bias, security, and compliance, and it has to be managed inside your broader third-party risk management program, not beside it.
How do you find out which of your vendors are using AI?
Start with an accurate vendor inventory; you cannot assess a population you have not fully identified. Then ask directly in due diligence and at renewal, have vendors disclose material AI use (including sub-processors and embedded models), and treat every answer as a point-in-time snapshot. Many vendors genuinely do not know, so pair their answers with clear contract language about notification when AI use changes.
Does AI need its own vendor risk assessment?
Not a separate one. AI is a new risk domain that belongs inside your existing program: reflected in your risk appetite, factored into inherent risk scoring, addressed in due diligence, and handled through risk acceptance when answers are incomplete. A bolt-on AI questionnaire without that integration produces documentation, not risk management. The same discipline applies when you are using AI inside your own vendor management function.
What is shadow AI in third-party risk?
Shadow AI is the use of artificial intelligence without an organization’s visibility or approval. In a third-party context, it means vendors (or their sub-processors) adopting AI in the products and services you already buy, without disclosure. It is a major reason 72% of organizations in Ncontracts’ 2026 survey say they have only a partial picture of vendor AI use: the AI entered the relationship after the contract was signed.
Where should a TPRM program start on AI risk?
Start with the data foundation: one complete, accurate picture of your vendor population. Then establish clear ownership, so a named business owner is accountable for each vendor relationship and the AI question has someone positioned to answer it. Define your AI risk appetite and work it into scoring and due diligence from there. Questions on an assessment come last, not first.