TL;DR: Vendor ecosystems have become a primary risk path in AI-enabled operations, with 78% of enterprises sourcing AI from third parties and 55% of AI failures now coming from third-party tools, according to OneTrust. The governance problem is no longer review volume alone, but whether third-party controls can keep pace with AI-driven dependency growth and continuous change.
NHIMG editorial — based on content published by OneTrust: third-party risk management and AI supply chain risk in the 2026 Gartner Magic Quadrant blog
By the numbers:
- 78% of enterprises source AI from third parties, while 55% of AI failures now come from third-party tools.
- Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities.
Questions worth separating out
Q: How should security teams govern third-party access in AI-enabled environments?
A: Start by treating every supplier integration as a governed identity path, not just a procurement relationship.
Q: Why do third-party risks become more serious when AI is involved?
A: AI increases both the number of external dependencies and the speed at which those dependencies change.
Q: What do organisations get wrong about third-party risk management?
A: Many teams still rely on periodic questionnaires as if supplier risk were static.
Practitioner guidance
- Map third-party access paths to specific identities Build an inventory of every API key, service account, token, certificate, and delegated admin path used by suppliers, then assign an owner and review date to each one.
- Tie re-review triggers to runtime change signals Reassess suppliers when their data use, access scope, product architecture, or AI functionality changes, instead of waiting for scheduled annual reviews.
- Separate human approval from AI-assisted triage Allow AI to assist with screening and summarisation, but keep approval authority, exception acceptance, and remediation sign-off under named human owners.
What's in the full article
OneTrust's full blog covers the operational detail this post intentionally leaves for the source:
- How OneTrust structures AI-assisted third-party intake, screening, and risk tiering inside the workflow.
- The specific configuration options for questionnaires, templates, and continuous monitoring signals.
- The way OneTrust links risk registers, framework mapping, and vendor intelligence into a single operating model.
- The article’s examples of how customers use the platform to reduce manual effort while improving audit readiness.
👉 Read OneTrust’s analysis of third-party risk management in AI-enabled vendor ecosystems →
Third-party risk and AI supply chains: what practitioners need to do?
Explore further
Third-party risk management is becoming identity governance by another name. Once vendors can host AI features, access enterprise data, or participate in automated workflows, the controlling question shifts from questionnaire completeness to delegated trust, credential scope, and offboarding discipline. That makes IAM, PAM, and third-party risk two views of the same governance problem. Practitioners should treat every external integration as an identity lifecycle asset, not just a supplier record.
A question worth separating out:
Q: Who is accountable when an AI vendor causes a security or compliance issue?
A: The vendor may be responsible for its own controls, but the enterprise remains accountable for what it approved, connected, and failed to re-evaluate. Accountability sits with the team that owns the business relationship, the control owner that approved access, and the governance function that monitors exceptions.
👉 Read our full editorial: Third-party risk management is shifting under AI supply chain pressure