TL;DR: Vendor risk management now spans security, privacy, compliance, and business continuity as organisations rely more heavily on third parties and cloud providers, according to OneTrust. The governance challenge is no longer supplier screening alone; it is continuous visibility into who vendors are, how they operate, and what access they retain.
NHIMG editorial — based on content published by OneTrust: What Is Vendor Risk Management?
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected.
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
Questions worth separating out
Q: How should security teams implement vendor risk management in a way that actually scales?
A: Start with a live vendor inventory, then classify suppliers by business criticality, data access, and system reach.
Q: Why do third-party relationships create identity and access risk?
A: Third-party relationships create identity risk because external parties often receive real credentials or delegated access into sensitive systems.
Q: What do organisations get wrong about annual vendor assessments?
A: They treat risk as static.
Practitioner guidance
- Build a live vendor inventory Track each vendor's business criticality, data access, system access, contract owner, and reassessment date in one authoritative register.
- Tier assessments by access and data risk Reserve deeper evidence review for vendors that touch production, regulated data, or privileged operational workflows, and use lighter attestations for low-risk suppliers.
- Validate control evidence, not just questionnaires Require artefacts, logs, audit reports, or remote audit evidence for higher-risk vendors so assessment outcomes reflect actual control operation.
What's in the full article
OneTrust's full blog covers the operational detail this post intentionally leaves for the source:
- Step-by-step vendor risk management lifecycle guidance from inventory through offboarding
- Sample assessment questions and methodologies for scoring vendor risk
- Detailed framework references for ISO 27001, NIST SP 800-53, SIG Lite, SIG Core, and CSA CAIQ
- Workflow examples for automation, reassessment, reporting, and remediation tracking
👉 Read OneTrust's full guide to vendor risk management →
Vendor risk management and access governance: where teams are exposed?
Explore further
Vendor risk management is now an access governance problem as much as a procurement problem. The article describes inventory, assessment, monitoring, and offboarding, but the deeper issue is who can still reach what after the commercial relationship changes. That is the same lifecycle problem identity teams face with service accounts, API keys, and privileged vendor access. Programmes that treat VRM as a periodic questionnaire will miss the security boundary created by persistent third-party access.
A question worth separating out:
Q: Who is accountable when a vendor causes a cyber incident?
A: Accountability sits with both sides, but the buying organisation remains responsible for governing the access it granted. Security, IAM, procurement, and the business owner all need clear ownership for onboarding, monitoring, and revocation. If no one owns the full lifecycle, third-party risk becomes an inherited control gap.
👉 Read our full editorial: Vendor risk management is becoming a board-level identity problem