Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Third-party risk and AI supply chains: what practitioners need to do


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: Vendor ecosystems have become a primary risk path in AI-enabled operations, with 78% of enterprises sourcing AI from third parties and 55% of AI failures now coming from third-party tools, according to OneTrust. The governance problem is no longer review volume alone, but whether third-party controls can keep pace with AI-driven dependency growth and continuous change.

NHIMG editorial — based on content published by OneTrust: third-party risk management and AI supply chain risk in the 2026 Gartner Magic Quadrant blog

By the numbers:

Questions worth separating out

Q: How should security teams govern third-party access in AI-enabled environments?

A: Start by treating every supplier integration as a governed identity path, not just a procurement relationship.

Q: Why do third-party risks become more serious when AI is involved?

A: AI increases both the number of external dependencies and the speed at which those dependencies change.

Q: What do organisations get wrong about third-party risk management?

A: Many teams still rely on periodic questionnaires as if supplier risk were static.

Practitioner guidance

  • Map third-party access paths to specific identities Build an inventory of every API key, service account, token, certificate, and delegated admin path used by suppliers, then assign an owner and review date to each one.
  • Tie re-review triggers to runtime change signals Reassess suppliers when their data use, access scope, product architecture, or AI functionality changes, instead of waiting for scheduled annual reviews.
  • Separate human approval from AI-assisted triage Allow AI to assist with screening and summarisation, but keep approval authority, exception acceptance, and remediation sign-off under named human owners.

What's in the full article

OneTrust's full blog covers the operational detail this post intentionally leaves for the source:

  • How OneTrust structures AI-assisted third-party intake, screening, and risk tiering inside the workflow.
  • The specific configuration options for questionnaires, templates, and continuous monitoring signals.
  • The way OneTrust links risk registers, framework mapping, and vendor intelligence into a single operating model.
  • The article’s examples of how customers use the platform to reduce manual effort while improving audit readiness.

👉 Read OneTrust’s analysis of third-party risk management in AI-enabled vendor ecosystems →

Third-party risk and AI supply chains: what practitioners need to do?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

Third-party risk management is becoming identity governance by another name. Once vendors can host AI features, access enterprise data, or participate in automated workflows, the controlling question shifts from questionnaire completeness to delegated trust, credential scope, and offboarding discipline. That makes IAM, PAM, and third-party risk two views of the same governance problem. Practitioners should treat every external integration as an identity lifecycle asset, not just a supplier record.

A question worth separating out:

Q: Who is accountable when an AI vendor causes a security or compliance issue?

A: The vendor may be responsible for its own controls, but the enterprise remains accountable for what it approved, connected, and failed to re-evaluate. Accountability sits with the team that owns the business relationship, the control owner that approved access, and the governance function that monitors exceptions.

👉 Read our full editorial: Third-party risk management is shifting under AI supply chain pressure



   
ReplyQuote
Share: