Predicts 2026: Third-Party Cybersecurity Risk Management Evolves for the AI Era

16 February 2026 - ID G00841578 - 10 min read
By Oscar Isaka, Deepti Gopal,  and 1 more
AI represents both increased cybersecurity risk to organizations via third parties, and increased opportunity to minimize the impact of third-party incidents. Cybersecurity leaders must shift to a resilience-focused monitoring strategy, powered by AI and integrated with GRC.

Overview

Key Findings

  • TPCRM programs are still overly reliant on due diligence due to the illusion that precontract activities are sufficient to manage cyber risks.
  • Organizations are seeking solutions that can serve both cyber governance, risk, and compliance (cyber GRC) and TPCRM use cases, rather than managing them separately.
  • Cybersecurity leaders are beginning to experiment with GenAI in third-party risk questionnaires to deal with increased scale, but short-term productivity gains are tempered by output degradation.

Recommendations

  • Shift TPCRM program resourcing from due diligence assurance to risk-based monitoring to better detect incidents and minimize impact of third-party incidents.
  • Prioritize technology platforms that serve both cyber GRC and TPCRM use cases to enable greater collaboration, responsiveness and adaptable risk management.
  • Use GenAI and AI techniques to redirect human resources to more valuable risk management activities. Do not confuse the improved automation of check-box activities (e.g., records that must be kept for the sake of compliance) with improved risk management.

Strategic Planning Assumptions

  • By 2028, half of all TPCRM programs will focus on continuous monitoring, allowing CISOs to repurpose due diligence resourcing to other high-value third-party risk mitigation activities.
  • By 2028, organizations integrating TPCRM into cyber GRC programs will achieve more than 20% reductions in labor and technology costs, while fragmented programs will face unsustainable operational overhead.
  • By 2028, 70% of organizations and vendors will use GenAI for both completing responses to TPCRM questionnaires and analyzing completed questionnaires, rendering the outputs increasingly unusable and disconnected from actual risk indicators.

Analysis

The surge in third-party-originating cybersecurity breaches demands a fundamental shift in how cybersecurity leaders and their teams manage third-party cybersecurity risks. Yet most organizations (62%) still overly trust due diligence questionnaire answers and findings, which are increasingly AI-generated, to blindly inform their risk-mitigation strategies. This approach is insufficient and leaves organizations vulnerable to dynamic threats that emerge after the contract is signed. Cybersecurity leaders must shift from a prevention-only mindset to one that prioritizes quick detection, minimizes the impact of incidents, and thoughtfully leverages AI to improve processes.

Urgency and Market Shift

Cyberattacks increasingly target supply chains by exploiting the trust between organizations and their vendors (see How to Respond to the 2025-2026 Threat Landscape). Third-party-related cyber incidents surged from 15% in 2024 to 30% in 2025.1 The urgency of this problem is recognized beyond cybersecurity: the 2025 Gartner Board of Directors Survey reported that 98% of directors anticipate cyberthreats to continue growing,2 while 76% of executive risk committee members consider third-party risks a priority for their organizations.

What You Need to Know

  • While third-party risks have long been recognized, recent high-profile attacks — such as the OpenAI data breach (see CISOs Must Reassess Third-Party Privacy and Cyber Risk After the OpenAI Data Breach) and the Heathrow Disruption — as examples on how TPCRM has transformed from a routine compliance concern into a critical cybersecurity priority that demands focused leadership attention.3
  • Organizations increasingly seek solutions that can combine cyber GRC and third-party cyber risk management (TPCRM) use cases to avoid managing them as isolated functions. This approach enables CISOs and their teams to maintain ongoing visibility, cybersecurity oversight, and connect to SOC technology stack for enhanced analytics.
  • The adoption of GenAI and other AI techniques will both enable scalability by automating repetitive tasks for the TPCRM program, and introduce risks as vendors adopt AI as part of their products and offerings (see Figure 1).
Figure 1: Traditional Vendor Risk Management Life Cycle Framework
Risk management is a continuous cycle of identification, assessment, analysis, remediation and monitoring, considering operational, financial, geographic, strategy, regulatory and compliance, and cybersecurity risks that are increasing for third parties.

Strategic Planning Assumptions

Strategic Planning Assumption: By 2028, half of all TPCRM programs will focus on continuous monitoring, allowing CISOs to repurpose due diligence resourcing to other high-value third-party risk mitigation activities.
Key Findings:
  • Growing reliance on diverse third-party vendors expands an organization’s attack surface. This interconnectedness means a single vendor breach can trigger widespread cybersecurity incidents and increase exposure to new and sophisticated types of attacks.
  • TPCRM programs are still overly reliant on due diligence due to the illusion that precontract activities are sufficient to manage cyber risks.
  • Current monitoring practices focus on contractual affirmations and largely reflect a one-size-fits-all, manual approach, with very limited ability — or appropriate skills — to detect or respond to risks other than third-party provided posture-management and threat-intelligence services.
Market Implications:
  • Traditional third-party public-security posture scoring is inadequate for modern TPCRM programs. Providers must expand offerings (e.g., AI detection, data movement, threat alerting, etc.) to augment cybersecurity risk decision making.
  • The increase in functionality offered by TPCRM technology and vendors (e.g., AI agents, identity and access monitoring, internal security posture) will prompt organizations to expand their demand for third-party infrastructure visibility, thereby increasing the complexity and requirements for monitoring strategies.
  • Resource constraints and skills gaps in the TPCRM program will push organizations to seek outsourced services and technology for third-party monitoring to enable faster detection and impact minimization.
Recommendations:
  • Shift TPCRM program resourcing from due diligence assurance to risk-based monitoring to better detect incidents and minimize impact of third-party incidents.
  • Clearly define monitoring scope based on non-negotiable requirements to enable risk-focused, scalable, and actionable monitoring. For example, prioritize monitoring temporary exceptions to MFA adoption for external systems until the risk has been mitigated.
  • Communicate monitoring requirements to vendors, highlighting how these capabilities support rapid decision making, accountability, and resilience. For instance, communicate how prompt alerts for critical supply chain outages and credential compromises, along with actionable recommendations, can improve resilience and limit operational disruption.

Related Research:
3 Steps to Mature Your Approach to Third-Party Cyber-Risk Monitoring
Maximize the Value of Third-Party Cyber-Risk Management Technology
Strategic Planning Assumption: By 2028, organizations integrating TPCRM into cyber GRC programs will achieve more than 20% reductions in labor and technology costs, while fragmented programs will face unsustainable operational overhead.
Analysis by: Deepti Gopal
Key Findings:
  • Organizations are seeking solutions that can serve both cyber GRC and TPCRM use cases to improve collaborative business decisions and early risk identification, rather than managing them separately.
  • Growing reliance on external IT services expands the attack surface, prompting CISOs to prioritize structured risk assessment, incident response, and third-party oversight. However, cybersecurity risk and third-party cyber risk management (TPCRM) technology solutions remain disparate and do not offer a consolidated approach to address these challenges.
  • Fragmented internal cybersecurity processes create gaps in visibility into the third party ecosystem, enabling lateral movement within environments. As long as these foundational issues persist, even the most advanced features in TPCRM solutions will fail to provide appropriate risk reporting and identification.
Market Implications:
  • The boundaries separating cyber risk management and TPCRM are blurring, leading to a convergence in cyber GRC services and solutions.
  • TPCRM vendors must provide real-time monitoring to help clients detect control drift across the ecosystem, as current disconnected point solutions do not materially help mitigate cybersecurity risk.
Recommendations:
  • Abandon the pretense that the TPCRM solutions demonstrably reduce cybersecurity risk exposure levels over the term of a contract; when in reality, they serve little purpose beyond meeting regulatory requirements.
  • Prioritize technology platforms that serve both cyber GRC and TPCRM use cases to enable greater collaboration, responsiveness and adaptable risk management.
  • Map cyber risk and TPCRM activities, including risk reporting and risk identification, to specific risk categories and value-chain owners, to ensure clear accountability and avoid duplication of effort.
  • Experiment with digital twins that map the vendor landscape, enabling real-time observability and vendor dependency testing. This allows to proactively identify gaps in integration of controls, compliance frameworks, and run scenario modeling exercises to test what-if scenarios and predict cascading impacts across the supply chain.
  • Move beyond simply validating third-party risks and adopt a proactive approach to managing dependencies, strengthening internal defenses and improving overall resilience.
Related Research:
Hype Cycle for Cyber-Risk Management, 2025
3 Steps to Mature Your Approach to Third-Party Cyber-Risk Monitoring
4 Ways to Boost Third-Party Cybersecurity Risk Management Effectiveness
Streamline Evaluations to Optimize Your Cybersecurity Technology Stack
Strategic Planning Assumption: By 2028, 70% of organizations and vendors will use GenAI for both completing responses to TPCRM questionnaires and analyzing completed questionnaires, rendering the outputs increasingly unusable and disconnected from actual risk indicators.
Analysis by: Zachary Smith
Key Findings:
  • Third-party cybersecurity risk questionnaires are inefficient and labor-intensive processes for cybersecurity functions and vendors alike. Additionally, industry standards and best practices — such as HITRUST for healthcare — often require nonvendor organizations to respond to a partnering organization’s questionnaire.
  • The increased demand for enhanced scalability and productivity has led many organizations to explore GenAI solutions to third-party cybersecurity risk questionnaires. For responding organizations, GenAI helps automate the process of completing TPCRM questionnaires. For requesting organizations, GenAI helps automate the analysis of completed questionnaires.
  • The problem with using GenAI to aid both the respondent and requester is not merely the increased risk of hallucinations. GenAI-driven analysis of GenAI-driven inputs leads to output degradation, error amplification, and eventually model collapse in the face of recursively generated data.
  • TPCRM questionnaires are point-in-time self-assessments that are not a reliable proxy for third-party cybersecurity risk.
Market Implications:
  • Vendors and other responding organizations will increasingly rely on GenAI and AI techniques (including natural language processing, LLMs, and AI agents) to automate responses to third-party cybersecurity risk questionnaires.
  • Organizations adopting AI techniques for automating questionnaire analysis will exponentially speed up the onboarding of third parties, while reducing the number of FTEs required to manage an increasing number of third parties.
  • Risk exchange and reporting services, which depend primarily on housing prepopulated security questionnaires, will decline in usage and members as the increased speed of GenAI processing enables faster turnaround times and analysis of TPCRM questionnaires.
  • The double-sided use of GenAI to answer TPCRM questionnaires and analyze completed questionnaires will improve the speed of third-party onboarding for organizations but at the cost of increasing the noise-to-signal ratio for third-party cybersecurity risk.
  • CISOs looking to manage third-party cybersecurity risk will abandon TPCRM questionnaires as a check-box compliance capability in favor of solutions that allow for better in-flight monitoring of third-party relationships.
Recommendations:
  • Stop scaling the “security theater” of TPCRM questionnaires. Cybersecurity leaders have long known the limitations of unverified, carefully scoped, point-in-time questionnaire responses.
  • Use GenAI and AI techniques to redirect human resources to more valuable risk management activities. Do not confuse the improved automation of check-box activities (e.g., records that must be kept for the sake of compliance) with improved risk management.
  • Pivot from due diligence-driven questionnaires to a life cycle approach to third-party cybersecurity risk management focused on (1) mutual partnership with critical third parties, (2) incident response and resilience activities for third-party cybersecurity incidents, and (3) carefully scoped in-flight monitoring of cybersecurity risks from third parties as explored above.

Related Resources:
Take a Life Cycle Approach to Managing Third-Party Cyber Risk
4 Ways to Boost Third-Party Cybersecurity Risk Management Effectiveness
Quick Answer: Does Customizing Third-Party Cyber Risk Questionnaires Add Any Value?

A Look Back

In response to your requests, we are taking a look back at some key predictions from previous years. We have intentionally selected predictions from opposite ends of the scale — one where we were wholly or largely on target, as well as one we missed.
This report is too new to have on-target or missed predictions.

Contributors

Chris Mixter

Evidence

1 2025 Data Breach Investigations Report, Verizon.
2 2025 Gartner Board of Directors Survey. This survey was conducted to understand how C-suite executives can work more effectively with the board of directors (the nonexecutive director board) and provide appropriate information to the board with confidence in their ability to deliver on the enterprise strategy in the near term and in the future. The survey also focused heavily on current issues of the day for boards that are either caused by technology or are mitigated by technology. The survey was conducted online from June through August 2024 among 328 respondents from North America (n = 169), Latin America (n = 12), Europe (n = 77) and Asia/Pacific (n = 70). Respondents came from organizations with $50 million or more in annual revenue in industries except governments, nonprofits, charities and nongovernmental organizations (NGOs). Respondents were required to be nonexecutive members of corporate boards of directors. Disclaimer: The results of this survey do not represent global findings or the market as a whole, but reflect the sentiments of the respondents and companies surveyed.​
3 Heathrow Airport Cyberattack: What Happened, Who’s Affected, and What CISOs Should Know, SOCRadar.