At the beginning of 2025, Whistic surveyed third-party risk management (TPRM) leaders from more than 500 organizations to learn about the trends impacting their processes. We also spoke to vendors about their experiences responding to assessment requests.

The biggest trend impacting TPRM on both sides of the equation? Artificial Intelligence—59% of companies say that AI will have the largest influence on the future of vendor risk management. That’s an increase of 8% over this time last year.

AI is rapidly making its way into every aspect of business, so in some ways these trends are not surprising. But third-party risk management requires a disciplined, strategic approach to technological innovations, especially when they are moving as fast as AI is currently. It’s important to have a clear picture of AI’s emerging role in TPRM to better understand the risks and benefits.

In this article, we’ll look at the role AI is playing now and will play in the future of TPRM. We’ll identify the key trends in AI usage and adoption across the industry; examine the single biggest challenge facing TPRM teams today and how AI can help; and identify best practices for building a disciplined, strategic approach to selecting and using an AI-powered solution.

Snapshot: The Story of AI Third-Party Risk Management in 3 Trends

Survey data shows clear indications that momentum is building for AI use. Here are three key trends that emerged.

1. AI adoption is focused on the vendor assessment process.

The TPRM process spans from vendor selection and onboarding all the way to continuous monitoring and risk remediation. But the task of actually conducting a vendor risk assessment seems to be the focal point of current AI use cases:

57% of companies are currently using AI in their assessment process, while another 40% are either currently testing it (or plan to test it in the next 12 months).
40% of companies report using AI to identify specific control gaps, data points, or evidence in vendor documentation during the assessment process.
94% of companies are willing to use AI to summarize detailed security documentation such as a SOC 2 audit report.

2. Governance is evolving alongside AI adoption.

It makes sense that risk-oriented professionals would take a measured, detailed approach to new technology like AI—and that certainly seem to be the case:

90% of companies have a policy in place governing the use of AI or AI-enabled technology
85% of companies also have an AI governance and security committee in place that must approve all uses of AI tools.

3. Vendors are adding AI capability, too.

A strong majority of vendors have also identified use cases for AI, especially in the assessment-response process: 85% of vendors are either currently using, testing, or plan to test AI to assist with a growing number of assessment requests from customers and prospects.

Why AI: Solving the Biggest Problem in Third-Party Risk Management

These data points underscore a growing consensus: AI isn’t just a passing trend in TPRM—it’s a fundamental shift that is rapidly transforming the way businesses approach vendor management. But why is AI taking hold in TPRM in such a meaningful way?

The answer has to do with the single biggest challenge facing TPRM teams today: a widening gap between the costs of TPRM and the returns from these programs. Many organizations are struggling to match investment (in terms of dollars, time, resources, risk levels, and opportunity cost) to the value generated (in terms of lowered risk, controlled costs, and an increased capacity to safely, quickly procure needed services).

After speaking with hundreds of companies (all with at least 500 employees), here’s the story that emerges, by the numbers:

Companies now work with an average of 286 vendors; this is up from 237 vendors in 2024.
Over the last year, the average company added roughly 3 people to its TPRM team (growing from 5.6 persons last year to 8.5 this year). In 2024, the average cost of adding one person was $109K, for a total investment of ~$320K over that time.
80% of companies report a desire to increase team size again, at an average cost of $115K per hire.
In spite of these investments, the average company still spends 37.4 hours every week assessing vendors—that’s 14 more hours every week than this time last year.
And 94% of companies report they would assess more vendors if they had more time, resources, and technology—which means vendors that should be assessed by these companies based on their own risk criteria are not being assessed. In short, these companies are taking on more risk than they would like.
Additionally, 97% of companies surveyed report they would do a more in-depth and detailed assessment if they had greater capacity—again, leaving risk management to chance by not being as thorough as necessary.
It’s no surprise that security incidents are on the rise: the number of companies reporting a security breach in the last three years has risen to 70% (vs. 50% in 2023); 77% of these breaches originate with a third-party.

Companies are moving in the wrong direction when it comes to managing risk and delivering value: costs and resource investment are rising, but risk outcomes are getting worse.

How AI Modernizes TPRM Processes

So, the value gap is widening…where does AI come into play? Well, AI makes it possible to change the traditional way TPRM assessments are conducted, thus making them faster and more insightful.

Before we dive into how, let’s take a quick look at the typical, questionnaire-centric approach to vendor risk assessments that is still used most commonly. Here’s how that process usually looks:

After identifying a possible vendor, the TPRM team sends (either through email or software portal) a questionnaire to the vendor to collect risk intelligence. This questionnaire may be an existing standard framework or customized to the needs of the buyer, but in both cases it can run to hundreds of questions.
The vendor must manually collect evidence and answers to this questionnaire, taking an average of 12 days to respond.
After this wait period, the buyer receives a response; it’s often incomplete, requiring additional correspondence for clarification. Sometimes, the initial response is not a completed questionnaire, but simply raw documentation that the buyer must parse manually.
Weeks or even months pass, and the buyer either hasn’t been able to procure a necessary solution or they’ve simply given up trying to determine risk levels and accepted “good enough.”

Manual questionnaires, manual review, frustration, unnecessary risk: this is what we at Whistic call “legacy” TPRM. There’s simply a hard ceiling on this kind of process in terms of efficiency and effectiveness. As we’ve seen, companies simply don’t have the time and resources to keep up with demand in a risk-free way.

AI breaks away from this process by modernizing TPRM with automation, greater transparency, and a more seamless experience for you and your vendors. This modern, AI-powered approach changes the TPRM assessment process, targeting the pain points of the legacy approach.

Here’s what that means for your business:

Move away from questionnaire-only assessments and use a wider range of security data (including things you already have).

The questionnaire is a chokepoint in the assessment process because it requires a number of manual steps to assemble, complete, review, and finalize. It’s a heavy burden on vendors, too, and we see vendors simply decline to respond to questionnaires more and more. But it’s often the only tool companies have to identify the risks that matter to them—and that’s often because of strict regulatory pressures or unique risk sensitivities that simply must be taken into account.

But all the information necessary to make an informed risk decision lives in a wide variety of data sources. Legacy TPRM says that all that info must be stuffed into questionnaire form. Modern AI-powered TPRM allows you to easily extract information from that catalog of sources automatically.

Lots of these data sources are things you already have: public trust centers or risk ratings from services like RiskRecon; if you’ve assessed a vendor in the past, you also already have access to previously completed questionnaires or assessments. And it’s always much easier for a vendor to send you an NDA and a completed audit report like SOC 2 instead of answering a questionnaire. AI can extract specific intelligence out of that documentation, so you can get a massive head start on your assessment before really needing to engage with the vendor.

Get a fully transparent risk analysis in minutes, not weeks.

Trust is one of the most important issues around the maturation of AI capabilities, and this is especially true for applications in risk-management. AI systems are still beset by the “black box” stigma, whereby it’s impossible to tell how or why the AI is functioning the way it is.

That’s where we would ordinarily lose the InfoSec leaders joining us today, but the AI in modern TPRM can be built for total transparency. Because AI is drawing from a defined set of data (that you select), it can provide answers to your risk queries along with context, confidence scores, and full citations to the source. This makes it possible to audit AI responses quickly, giving you full visibility and control.

Stop cutting corners on risk. Assess as many vendors as you need at the depth you require.

Resource constraints are the single biggest challenge holding back TPRM teams. The sheer scope of their jobs gets bigger, more demanding, and more complex every year. Capacity can’t match demand, so businesses simply rubber-stamp risk out of necessity.

AI exponentially expands the capacity of your TPRM team by eliminating virtually all the manual steps in the process. That means you can do many more assessments in greater detail in a fraction of the time. That improves risk outcomes on its face, but it also has enormous opportunity value that reduces overall business risk. Now, all the important aspects of actual risk management—monitoring, remediation, bolstering security posture—that used to take a back seat now take center stage thanks to the time you’ve saved on manual assessments.

Vastly improve the vendor experience.

A full 99% of companies we surveyed report that vendor experience is either important or very important to them. But the questionnaire process isn’t exactly an olive branch of peace when it comes to building a trusting vendor relationship. Vendors face many of the same chokepoints in assessment response as TPRM teams do on the other side, and a manual questionnaire with hundreds of questions leads to unavoidable delays.

AI makes it possible to complete a huge portion of the questionnaire before the vendor even gets involved, using existing data sources first. As we mentioned before, it’s also much easier for a vendor to send their raw security documentation and have you find the answers you need for yourself—AI automates that rather than simply shifting the manual burden to you.

And if the AI cannot source every question you have, it still massively reduces the burden. It’s much easier for a vendor to quickly respond to 20 questions rather than 200.

Selecting the right AI for third-party risk management

While the use of AI in TPRM is growing, not all AI solutions are created equally. More than 57% of companies are trying AI in their assessment process, but only 4% of companies self-describe as “AI-first,” which means having AI capabilities integrated fully into their assessment workflows at every stage and using it to drive decision-making.

That number will grow, and it makes sense to have a clear strategy for evaluating AI solutions in place. For a fully mature, AI-first approach to TPRM, here are some of the key aspects to look for.

1. Find an integrated solution that works with your existing workflows.

This is the heart of “AI-first” TPRM. Many companies lose value from their technology investment because of change management: tools are too complex to implement, learn, or maintain, so adoption rates are low and value vanishes.

Select an AI solution that integrates AI capability into your TPRM processes to increase velocity through automation without having to reinvent the wheel to shoe-horn in an AI widget or “enhancement”. AI should simply take your expertise and automate it.

2. Look for mature AI systems.

The AI boom makes it feel like AI is brand-new, but it is possible to find AI solutions that are tested and proven. Mature AI systems provide greater accuracy, offer better context for making decisions, and integrate more seamlessly with existing systems for a better user experience.

3. Don’t compromise on trust, transparency, and control.

It’s not necessary to put your blind faith into the black box of AI. AI-first TPRM should show its work as it automates the assessment process. Look for solutions that offer contextual insight for the answers it provides: confidence scores to measure certainty, documentation citations that allow you to dive deeper into sources where necessary, and the ability to audit or override answers in granular detail. Also look for solutions that allow you to control the data sources the AI uses for each assessment.

4. Complement your GRC tools to maximize overall risk management.

Governance, risk, and compliance software often includes a module for TPRM, but users often experience significant challenges, including complex implementation, poor data integration, and high maintenance costs (in time and dollars).

AI-first TPRM solutions are purpose-built for vendor risk, giving you better risk visibility and simpler implementation. In other words, they augment your overall risk management strategy, and the additional speed of fully automated risk assessments help to reduce the overall cost of keeping your business safer. It’s a win-win, so look for AI-first solutions that work hand-in-hand with your GRC tool.

5. Find a vendor-friendly solution.

This is very much related to integrated AI workflows, but it’s worth emphasising. An integrated AI solution front-loads the automation, whereas a tacked-on widget leaves time-savings for the end of the process. Up-front automation (that starts with vendor selection and continues through assessments, onboarding, and remediation) extends the speed and efficiency to the vendor, too, by immediately reducing the questionnaire and response burden.

Assessment Copilot: The Next Generation of AI-First, Modern TPRM

AI-first TPRM modernizes processes, replacing manual steps with automation; replacing questionnaire-based assessments with data-rich analysis; and easing the burden on vendors for greater trust. It’s the only way to close the value-gap and reduce costs, risk, and time in the TPRM process.

Whistic has long been the leader in AI-powered TPRM. Since we first launched our suite of AI capabilities called Assessment Copilot in May of 2024, we have been enriching and refining the power of our platform and the experience of customers. In March 2025, we unveiled the next generation of Copilot for even more effective, automated TPRM. Our suite of capabilities includes:

Vendor Summary: Automatically run a security framework against the documents you’ve collected and added to your repository. The result is an automated assessment built on accuracy and trust: it comes complete with confidence scores, full citations and links to sources, and control over data access. It also learns with your business, making your next assessment even better than your last.
SOC 2 Summary: Create 5-page summaries from hundreds of pages of audit report, all aligned specifically to your security and risk controls. No more poring over pages of documents manually for evidence (for you or your vendor). The resulting report is also easily shareable for stakeholders, vendors, or senior leaders.
Vendor Insights: Query your entire vendor catalog at the same time rather than vendor-by-vendor. This allows you to quickly gather risk-based information in the event of a security event or if your risk profile changes.

That’s how Assessment Copilot works. But what does industry-leading AI mean for your and your TPRM team in business terms?

You don’t have to start from scratch: Use AI to source intel from data you’ve already collected, and don’t wait 12 days to hear back from a vendor.
You don’t have to change the way you work: Whistic integrates AI into every stage of TPRM workflows, so you do what you know best—just faster, richer, and with less cost.
You benefit from our head start: Unlike most platforms, Whistic AI is field-tested and mature. Our next generation of Assessment Copilot is an evolution built on proven expertise.
You get what you need faster and with less risk: You wouldn’t assess a vendor at all if you didn’t have an important business need. Now, you don’t have to put off value or embrace unnecessary risk simply to get the right solution.

If you’d like to assess more vendors, in greater detail, and in a fraction of the time, we’d love to show you how. Learn more about what Copilot can do for you, or schedule a time to meet with our experts today.