How AI navigates third-party risk in a rapidly changing risk landscape

TPRM functions need new ways of operating to address the competing pressures of the new risk environment, the increasing number and complexity of third-party relationships, and the need to do more with less. TPRM transformation is a journey, from seeking marginal efficiency gains at the near end, to fundamental transformation at the other. Companies have been on this journey for a while, most notably with the drive toward increased centralization. The emergence of AI provides an opportunity to both accelerate centralization and transform TPRM.

TPRM centralization has started companies on the path to greater efficiency

Continuing a multi-year pattern, the 2025 survey shows a trend toward increased centralization of TPRM. A growing number of organizations use centralized, enterprise-wide TPRM programs (57% in 2025, up from 54% in 2023).

TPRM centralization offers many benefits. It reduces friction points; instead of reaching out to the same third party multiple times, often with duplicative and partially redundant requests, outreach can be done once and in a coordinated, streamlined way. The survey data suggest that many organizations could benefit from such streamlining. When performing control assessments, about four in ten companies (43%) still use multiple questionnaires for different risk domains. They send third parties an average of 55 questionnaires. Add to this the compliance burden of each additional questionnaire (45% of respondents say that control assessment questionnaires have 101 to 200 questions, while another 36% have between 201 and 350 questions) and it’s apparent there’s much room for a centralized approach to reduce the compliance burden and friction points with third parties.

Critically, centralized TPRM allows for better coordination and more holistic risk assessment. “A centralized approach to TPRM allows an organization to connect dots across verticals and see the big picture,” says Rohit Mathur, EY Global Risk Consulting Strategy Leader and EMEIA Risk Consulting Leader, “For instance, an organization’s Cybersecurity team may be monitoring a third party with respect to cyber risk. That third party might have robust cyber controls and score highly with respect to cyber risk. But the party may simultaneously be hemorrhaging money, with a high likelihood of bankruptcy in the next six months — which would obviously jeopardize its ability to invest in cyber controls going forward. If the organization does not connect dots across cyber and financial risk, it would miss the overall picture.”

The benefits of centralization are visible in the survey data. Ninety-two percent of organizations with a centralized TPRM structure have directly invested in improving and optimizing the program's capabilities and effectiveness. The key benefits reported from this maturation include a better user experience (56%), increased understanding of risks during the decision-making process (52%), completeness and accuracy of data (51%) and standardization (51%). 

Centralized TPRM structures also show greater maturity several key areas when compared to hybrid structures. They are more mature in third-party inventory (58% centralized vs. 39% hybrid), risk models (51% centralized vs. 36% hybrid), assessment methodology (49% centralized vs. 33% hybrid), policies and standards (46% centralized vs. 31% hybrid), and governance and oversight (43% centralized vs. 29% hybrid).

AI is a value catalyst and opportunity to reinvent TPRM

AI has tremendous potential to disrupt TPRM, enabling not just greater efficiencies but also a fundamentally different approach to identifying, monitoring and managing third-party risks.

The early use cases adopted by companies will often focus on using AI to automate existing manual processes and generate operating efficiencies. This includes streamlining repetitive tasks — such as data collection, initial risk assessments and vendor onboarding — and speeding up risk assessments. Beyond this, the true potential of AI is not in automating existing processes as much as in deploying it to create value by conducting TPRM in fundamentally different ways.

Consider how AI could create significant efficiencies and reinvent traditional ways of working, across different stages of the TPRM life cycle:

• Vendor identification: Instead of manually compiling vendor lists, AI uses algorithms to scan databases and identify vendors based on predefined criteria, making the process faster and more comprehensive.
• Risk assessment: AI models assess risks based on historical data and predictive analytics, providing objective risk scores.
• Due diligence: AI replaces slow and labor-intensive manual document reviews with automated collection and analysis of vendor documentation, such as financials and compliance records.
• Contract negotiation: AI analyzes contract terms using natural language processing (NLP) to identify risks and suggest improvements based on best practices.
• Onboarding: AI streamlines the onboarding process through automated workflows and checklists, while solidifying compliance with requirements.
• Monitoring: AI continuously monitors vendor performance using real-time data analytics and alerts for any anomalies or compliance issues.
• Incident management: AI utilizes predictive analytics to identify potential incidents before they occur and conducts scenario analysis to foresee “domino-effect” risks that may be hidden in more linear and siloed approaches.
• Training and awareness: AI provides personalized training modules based on individual employee needs and learning styles.

Despite its potential, AI adoption in TPRM is still relatively low. Only 13% of companies have optimized technology and automation within their TPRM programs (or achieved “Level 5” maturity).

“AI usage is in its infancy,” says Gennarini. “So far, most TPRM functions are only deploying AI at low scale and are using capabilities that have been around a long time, such as optical character recognition (OCR) in document search.”

The new generation of AI models, including agentic AI, will move from seeking incremental operating efficiencies to conducting TPRM in fundamentally different ways. For instance, instead of just using OCR and NLP to review contractual terms, a world of AI agents could enable agents to work directly with agents at third parties to negotiate contracts based on market data, business objectives and governance/regulatory requirements. After human review, finalized agreements could be encoded as smart contracts on the blockchain, ensuring transparency and security, as well as automated monitoring of compliance and execution of milestone payments.

The good news is that TPRM functions have the desire to invest in AI and data analytics. The top driver of future investment in TPRM programs is “AI/ML capabilities for enhanced due diligence and contract performance/monitoring” (31% of respondents), while “Data-driven approach to monitor third parties” is second (28%) and “Automation of due diligence for efficiency and heightened risk management purposes” is third (27%).

AI and centralization can catalyze each other

A number of factors hinder more extensive adoption of AI and centralization in TPRM.

Fragmented organizational structures and misaligned incentives lead to a disjointed approach and impede achieving the full value potential of centralization. TPRM is typically not led by a C-level officer; instead, it is a few levels down from C-suite. It is often dispersed across business unit leaders, who only have the remit, incentives and budget to address it within their vertical — rather than to align with other business units and approach it holistically across the enterprise.

While the factors responsible for low AI adoption vary from company to company, common challenges include cost considerations, lack of expertise and data readiness. Furthermore, the breadth and complexity of TPRM makes integrating AI solutions into existing TPRM processes and workflows a difficult undertaking.

The symbiotic relationship between centralization and AI can help overcome some of these barriers and accelerate adoption. For instance, a key pillar of centralized TPRM is harmonizing and centralizing data across the verticals of the organization — but this is also a key prerequisite for AI, so it could help overcome the barrier of data readiness and accelerate AI adoption. By the same token, AI can catalyze centralization, by providing TPRM managers the capabilities to monitor real-time data across the enterprise and third-party ecosystem. 

Business and risk leaders can these three actions to accelerate the transformation of TPRM and achieve the full value potential of centralization and AI adoption:

1. Focus on the enterprise

TPRM is conducted in different verticals of the enterprise, which are structured and incentivized to focus on different metrics. Procurement may track contract compliance and vendor performance. Cybersecurity may be focused on incident response time and cost of breaches. Supply chain may care about supplier compliance and resilience metrics.

Yet, realizing the full potential of AI and centralization requires understanding your obligations at an enterprise level — such as regulations, board imperatives, or investor imperatives — as well as how these translate to third-party risks and connect to the metrics of individual business units. If you are only looking at specific risks, instead of how your ecosystem of third parties could impact the overall business, you are narrowing your view and may set yourself up for suboptimal decision making.

We’ve written previously about the concept of a “risk steward” — someone who is charged with prioritizing risk management requirements across your organizational siloes and driving a connected, proactive risk management approach. TPRM is a true horizontal that cuts across the enterprise, with every internal function having a mirror third-party impact. It would benefit tremendously from a risk steward approach.

2. Invest in AI readiness

The survey responses show that AI adoption in TPRM is low, but that organizations have the ambition to scale up adoption in the years ahead. Bridging that gap and achieving that ambition requires investing in AI readiness.

This includes a thorough assessment of existing TPRM processes, tools, and data management practices to identify gaps and areas for improvement in preparation for AI integration. It includes investing in data readiness to improve data quality, standardizing data formats and implementing data governance. It includes preparing the workforce, by closing skills gaps and investing in training and upskilling.

Critically, it includes monitoring trends, both to keep pace with emerging best practices in TPRM, as well as to prepare for the next waves of AI.

3. Question assumptions and accelerate tipping points

“A decade ago, most companies had policies prohibiting their data from ever touching the public cloud, because of the fear factor of the technology,” says Kawther Haciane, EY MENA Digital Risk Leader. “Today, the script has flipped. Companies everywhere are ‘cloud first’ — everything has migrated to the cloud, and exceptions have to justify why they shouldn’t be on the cloud. What happened? We reached a tipping point, the assumptions and economics flipped, and it triggered mass adoption.”

Indeed, technology is replete with examples of such tipping points — while the new risk environment is accelerating the pace of nonlinear change, making tipping points increasingly likely. Consider how the launch of ChatGPT upended assumptions about the capabilities of GenAI, and the time frames in which they could be achieved. Or consider something closer to home for TPRM functions: how the COVID pandemic transformed some components of TPRM almost overnight, as the shift to remote work removed the ability to do onsite audits, forcing organizations to embrace technology at scale.

We may now be approaching a similar tipping point for AI adoption in TPRM. As the number and complexity of third-party relationships has swelled in recent years, so too has the friction, pain and cost of doing third-party risk assessments manually. But this is also changing the economics of AI adoption. Once you are doing assessments at larger scale — in the thousands instead of hundreds — you have an increased financial incentive to invest in AI, as well as the expanded scale with which to recoup those investments.

An even bigger tipping point may be imminent in the advancement of the technology. The new generation of AI models — including agentic AI, multimodal AI, reasoning AI, and self-improving AI — are bringing breakthrough capabilities, and combining them could be a game changer for TPRM. This could challenge cost-benefit calculations and make the value proposition of AI irresistible.

The tipping points discussed above have one thing in common: they took most companies by surprise, requiring them to scramble and put together an often-hurried response. But there is another path. By anticipating a tipping point, you can prepare your organization for it. Even better, you can accelerate the shift by taking the steps identified above, to invest in the future, fix misaligned incentives, and realign organizational structures.

TPRM exists to ensure that the rest of the organization isn’t caught unawares by external disruptions. Now, more than ever, it may need to apply that focus to itself.