TPRM wasn't built for the world we're in now.
Third-party risk management was designed in the early 2000s for a different environment: fewer vendors, slower software cycles, stable relationships you could assess once and revisit annually.
The assumptions baked into most programs still reflect that era. Fixed review cycles. Questionnaire-based assessments. SOC 2 reports as the primary evidence. Annual reassessments regardless of what changed.Meanwhile, the vendors themselves have changed completely. They ship code weekly. They add AI capabilities and subprocessors without disclosure. They run on shared infrastructure that creates fourth and fifth-party dependencies invisible to anyone doing a standard assessment.A vendor's risk profile can shift materially between one annual review and the next, and nothing in the traditional TPRM workflow is designed to catch it.
The result is a growing gap between the rate at which vendor risk changes and the rate at which organizations can assess it. Survey data from procurement and security leaders at Fortune 500 companies shows the operational consequences:
- 96% of organizations take more than two weeks to approve a vendor
- Half cite evidence collection as their primary bottleneck
- Only 40% Learn about vendor incidents before impact
The model isn't failing because teams aren't working hard enough. It's failing becausemanual, periodic oversight can't keep pace with continuous change
The Original TPRM Model
TPRM programs emerged in the early 2000s, mostly in regulated industries dealing with outsourcing risk and post-SOX governance.
The core assumption was that vendors were stable. Software changed slowly. You could evaluate risk at onboarding, check back in a year, and that was fine.
Programs were built around:
Inherent risk tiering to decide how much effort to spend
Standardized questionnaires
Annual or biennial reassessments
SOC 2 reports and ISO certs as baseline evidence
For a long time, this worked. Vendor populations were smaller, dependency chains were shallow, and not much changed between review cycles.
That environment doesn't exist anymore.
What Changed
Software deploys weekly or daily. Cloud platforms, shared infrastructure, and AI-enabled services introduce dependencies that sit outside the direct vendor relationship and change without anyone telling you.
A vendor's risk profile can shift when they:
- Launch new product
- Add subprocessors
- Expand data access
- Change infrastructure
- Add AI features
None of that triggers a "new vendor" flag in your system. The vendor looks the same, but the risk changed and you didn't get notified.
MOVEit showed what this looks like in practice. One vulnerable service provider dependency cascaded across thousands of organizations, many of which didn't know they were exposed.
CrowdStrike in 2024 was similar: a shared security platform update took down banks, airlines, and critical services worldwide.
Organizations can add headcount and still feel behind. The issue isn't effort. It's that you're managing modern dependencies with a playbook built for simpler vendor relationships.
The Numbers
We asked practitioners what's actually happening in their programs.
How many new or changed vendors need review each month?
Two-thirds are reviewing 6+ vendors a month. That's just the job now.
How do you reassess after onboarding?
Almost everyone still relies on calendar-based reviews. Only a third have continuous monitoring, and even then it's usually layered on top of the annual cycle, not replacing it.
How often do you learn about vendor incidents before they impact you?
Only 40% say they reliably find out before impact. Everyone else is getting surprised at least half the time.
Third-Party Risk Is Dependency Risk Now
Traditional TPRM treats vendors as independent. In practice, you're operating inside layered dependency structures that go well beyond the vendor you're assessing.
We’ve seen other data that shows over a third of breaches now involve third or fourth-party relationships. Usually through shared platforms, not isolated vendor failures.
CrowdStrike and Snowflake both fit this pattern. Organizations got hit not because they picked bad vendors, but because they shared dependencies that failed at scale.
It's concentration risk disguised as diversification.
Challenge
When we asked what would most improve their programs, fourth-party visibility came up repeatedly:
Solution
"Monitoring 4th parties and proactively have alerts of impact"
"Ability to map full supply chain of a vendor to follow the data flow"
The question isn't just "is this vendor compliant."
It's "what dependencies does this vendor introduce, and can I see them."
Why SOC 2 Reports Don't Tell You Much
SOC 2s, ISO certs, and questionnaires are still the default.
They're familiar, auditable, and scale okay.
Features
Retrospective
Tells you what was true months ago
Generic
Not specific to how you're actually using the vendor
Slow
Updated annually while systems change weekly
Policy-focused
Describes what should happen, not what's running
Industry data shows certification doesn't correlate with fewer breaches. Almost every organization has vendors who've been breached while holding current compliance reports.
What happens after an assessment?
Mostly documentation. Contractual language gets added. Sometimes access gets scoped down or a follow-up review gets scheduled. Vendors rarely get rejected outright.
One respondent put it plainly:
"We more or less turn vendors loose in the environment without real controls to prevent bad actions."
The failure isn't lack of diligence.
It's that a governance model built around static documents can't represent risk that emerges from live systems
The Real Bottleneck
What causes the most friction in vendor intake and assessment.
Half the respondents pointed at the same thing: getting documents from vendors.
How long does approval take?
96% take more than two weeks. 43% take two months or longer.
Traditional TPRM relies on static, questionnaire-based assessments. Vendors respond to standardized questions, supporting documents are collected and mapped to controls, and the results are captured in point-in-time reports. While additional staff can help manage throughput, the underlying approach does not scale with the pace or variability of modern vendor risk.
"The biggest issue is capturing a clear use case from the requester upfront. Vendor response time is often cited as the bottleneck, but it's frequently a downstream effect of an incomplete or poorly defined use case."
"Risk decisions get fragmented across intake tickets, email threads, procurement systems, ad hoc approvals..."
The bottleneck isn't expertise. It's chasing documents, managing email threads, waiting for responses, reconciling incomplete evidence.
What Practitioners Want
When asked what would improve their programs, the answers clustered around a few themes:
Respondents didn’t ask for more controls or heavier governance.
They want systems that do the work so they can focus on decisions.
The Operating Model for Modern TPRM
Principles
Evidence-first
Evidence supports decisions, doesn't replace them
Intake-led scoping
Risk assessed based on use case, data access, and dependencies
Trigger-based reassessment
Changes drive reviews, not calendars
Dependency awareness
Fourth-party and shared infrastructure risks are explicit
Human judgment with system support
Automation handles the noise, people make decisions
Procurement integration
Risk gets involved early, less rework later
The Direction
The future of TPRM is not heavier governance, but systems designed for continuous change.Organizations anchored to static reviews, questionnaire-based assessments, and manual coordination will continue to experience structural friction: slow procurement, delayed risk discovery, and preventable surprises.
Agentic programs move faster not by accepting more risk, but by maintaining an accurate, continuously updated understanding of risk as it evolves.
Coverbase
Coverbase uses agentic AI to orchestrate intake, assessment, monitoring, and evidence reuse as a single system.
The goal isn't replacing human judgment. It's making sure your people spend time on decisions, not admin.
Methodology
This report is based on:
Survey responses from procurement and security leaders at Fortune 500 companies and leading financial institutions, including top global cryptocurrency exchanges, leading pharmaceutical and healthcare companies, top U.S. banks, leading telecommunications providers, global asset managers, leading wealth and investment management firms, and enterprise technology and cybersecurity companies.
Industry research from analysts, regulators, and security firms.
Operational experience working with organizations managing large, regulated vendor ecosystems.
Survey conducted January 2026.
