From Compliance to Confidence: How AI Is Reshaping Third-Party Risk

As geopolitical instability, supply chain disruption, and cyber threats continue to escalate, third-party risk management (TPRM) is evolving from a compliance function to a strategic business imperative. The 2025 EY Global Third-Party Risk Management Survey highlights a critical shift: organizations are increasingly turning to artificial intelligence to manage growing risk complexity, but many still struggle to operationalize TPRM at scale.

For cybersecurity professionals, the implications are clear: AI-driven TPRM isn't optional—it's foundational to protecting enterprise systems and sensitive data in an interconnected digital economy.

According to the EY survey, 87% of organizations have experienced a third-party risk incident in the past three years. These events span cyber breaches, regulatory non-compliance, and reputational damage—often stemming from misaligned or insufficient due diligence.

"The number of third-party relationships is ballooning, but most organizations still rely on manual, outdated tools to monitor risk," says Greg Smith, EY Global TPRM Leader. "That gap is where both exposure and opportunity live."

Third-party cyber risk is no longer confined to the IT function. With attackers exploiting supply chain vulnerabilities—like those seen in the MOVEit and SolarWinds attacks—TPRM must become cross-functional, with CISOs and security teams playing a pivotal role.

Key EY survey findings include:

• 46% of organizations still use spreadsheets to manage third-party risks

• 49% conduct risk assessments only during onboarding—not continuously.

• Only 25% of respondents felt "very confident" in their ability to detect emerging third-party threats

This reactive posture is incompatible with the velocity of today's threats.

AI as a force multiplier

The survey reveals that AI adoption in TPRM is accelerating, with 63% of organizations either using or piloting AI tools for vendor risk scoring, contract analysis, and continuous monitoring.

"AI is transforming TPRM from a backward-looking compliance activity into a forward-looking, predictive discipline," notes Smith. "It allows organizations to model complex scenarios, reduce false positives, and act on real risk—not just red tape."

Common AI applications cited include natural language processing (NLP) to scan contracts and flag non-compliance; machine learning models to analyze historical risk events and predict new ones; and automated alerts tied to ESG, financial health, and geopolitical changes.

Despite growing enthusiasm, EY cautions that less than a third of companies have a mature, enterprise-wide TPRM program. Roadblocks include siloed ownership, lack of skilled talent, and poor integration between risk, procurement, and IT functions.

"Technology is only as effective as the governance around it," the report states. “"Without executive buy-in and clear accountability, even the best tools fall flat."

The report offers several recommendations to elevate third-party cybersecurity management:

1. Integrate TPRM and cyber risk functions into a unified governance structure.

2. Invest in AI-powered platforms that provide real-time risk scoring and threat intelligence.

3. Establish risk tiering and focus enhanced controls on high-criticality vendors.

4. Continuously monitor third-party ecosystems, not just during onboarding.

5. Develop a response playbook for vendor-related incidents.

A few other highlights from the survey:

• 57% of respondents cite operational risk as a consideration for third parties, compared to 40% in 2023.

• Across sectors, companies are turning to third-party service providers for everything from human resources to business intelligence and supply chain logistics. This, in turn, has increased the number of business functions that rely on third parties and are exposed to third-party risks. In the past, a bank may have had one or two risk verticals that cared about third-party risk; today, that number could be in excess of 20. 

• Continuing a multi-year pattern, the 2025 survey shows a trend toward increased centralization of TPRM. A growing number of organizations use centralized, enterprise-wide TPRM programs (57% in 2025, up from 54% in 2023). "A centralized approach to TPRM allows an organization to connect dots across verticals and see the big picture," says Rohit Mathur, EY Global Risk Consulting Strategy Leader and EMEIA Risk Consulting Leader. "For instance, an organization's Cybersecurity team may be monitoring a third party with respect to cyber risk. That third party might have robust cyber controls and score highly with respect to cyber risk. But the party may simultaneously be hemorrhaging money, with a high likelihood of bankruptcy in the next six months—which would obviously jeopardize its ability to invest in cyber controls going forward. If the organization does not connect dots across cyber and financial risk, it would miss the overall picture."

More on AI from the survey:

"Consider how AI could create significant efficiencies and reinvent traditional ways of working, across different stages of the TPRM life cycle:

• Vendor identification: Instead of manually compiling vendor lists, AI uses algorithms to scan databases and identify vendors based on predefined criteria, making the process faster and more comprehensive.
• Risk assessment: AI models assess risks based on historical data and predictive analytics, providing objective risk scores.
• Due diligence: AI replaces slow and labor-intensive manual document reviews with automated collection and analysis of vendor documentation, such as financials and compliance records.
• Contract negotiation: AI analyzes contract terms using natural language processing (NLP) to identify risks and suggest improvements based on best practices.
• Onboarding: AI streamlines the onboarding process through automated workflows and checklists, while solidifying compliance with requirements.
• Monitoring: AI continuously monitors vendor performance using real-time data analytics and alerts for any anomalies or compliance issues.
• Incident management: AI utilizes predictive analytics to identify potential incidents before they occur and conducts scenario analysis to foresee 'domino-effect' risks that may be hidden in more linear and siloed approaches.
• Training and awareness: AI provides personalized training modules based on individual employee needs and learning styles.

Despite its potential, AI adoption in TPRM is still relatively low. Only 13% of companies have optimized technology and automation within their TPRM programs (or achieved 'Level 5' maturity)."

• Realizing the full potential of AI and centralization requires understanding your obligations at an enterprise level—such as regulations, board imperatives, or investor imperatives—as well as how these translate to third-party risks and connect to the metrics of individual business units. If you are only looking at specific risks, instead of how your ecosystem of third parties could impact the overall business, you are narrowing your view and may set yourself up for suboptimal decision making.
• "A decade ago, most companies had policies prohibiting their data from ever touching the public cloud, because of the fear factor of the technology," says Kawther Haciane, EY MENA Digital Risk Leader. "Today, the script has flipped. Companies everywhere are 'cloud first'—everything has migrated to the cloud, and exceptions have to justify why they shouldn't be on the cloud. What happened? We reached a tipping point, the assumptions and economics flipped, and it triggered mass adoption."
• The new generation of AI models—including agentic AI, multimodal AI, reasoning AI, and self-improving AI—are bringing breakthrough capabilities, and combining them could be a game changer for TPRM. This could challenge cost-benefit calculations and make the value proposition of AI irresistible.

The EY 2025 report makes it clear: managing third-party cyber risk is no longer about checking a box—it's about safeguarding businesses.

The survey includes input from 500 executives who lead or assist TPRM.