TL;DR: Third-party risk teams are increasingly using AI to accelerate vendor onboarding, monitoring, and control assurance, but most organisations are adopting agentish rather than fully agentic systems because oversight, guardrails, and accountability still matter, according to OneTrust. The practical issue is not whether AI can act, but where human review must remain in the loop.
NHIMG editorial — based on content published by OneTrust: Agentic vs. Agentish AI: What It Means for Third-party Risk Management
By the numbers:
- In 2024, AI-related incidents grew more than twenty-six times over the previous three years.
Questions worth separating out
Q: How should security teams use AI in third-party risk management without over-automating decisions?
A: Use AI to continuously prioritise vendors, detect anomalies, and flag contract or control drift, but keep approval, exception handling, and accountability with humans.
Q: Why do access sprawl and AI workflows create more identity risk?
A: Because they multiply the number of places where credentials, approvals, and delegated actions can occur without clear ownership.
Q: What breaks when AI agents have broader access than their tasks require?
A: Over-privileged agents break segregation of duties, weaken auditability, and expand blast radius across transactions, data lookups, and workflow triggers.
Practitioner guidance
- Define AI decision boundaries Specify which third-party risk tasks an AI system may complete, which ones it may only recommend, and which remain human-approved.
- Assign each AI workflow an identity Create separate accounts or service identities for AI workflows, with least privilege, logging, and lifecycle ownership.
- Review control evidence for automation drift Check whether AI-generated assessments, classifications, or reminders are changing the meaning of the evidence you rely on.
What's in the full article
OneTrust's full blog covers the operational detail this post intentionally leaves for the source:
- Examples of how agentish AI can automate supplier onboarding without taking over approval authority.
- Practical comparisons between automation, generative AI, agentish AI, and fully agentic systems in third-party risk workflows.
- Vendor-side examples of how AI can assemble assessments, correlate incidents, and classify evidence at scale.
- The article's framing on where risk, compliance, and workflow ownership need to sit when AI supports third-party oversight.
👉 Read OneTrust's analysis of agentic vs agentish AI for third-party risk management →
Agentic vs agentish AI - what does it mean for third-party risk?
Explore further
Agentish AI is the governance shape most enterprises actually need. Fully autonomous systems create decision speed that outstrips current risk governance, while bounded systems preserve reviewable accountability. In third-party risk, that matters because assessments, evidence collection, and supplier scoring are governance decisions, not just automation tasks. The practical conclusion is that risk teams should design for constrained delegation rather than autonomy-first deployment.
A question worth separating out:
Q: Who is accountable when an AI system makes a harmful decision?
A: Accountability should follow the identity chain that authorized, configured, or triggered the action, including the human owner, the platform team, and any delegated agent or tool account. If the organisation cannot name that chain, the governance model is too weak for regulated AI use.
👉 Read our full editorial: Agentic vs agentish AI: what risk teams need to know