The Cyber Risk Podcast: Third-Party Risk Management Goes Agentic in 2026

Vincent Scales of CVS Health discusses the breaking point, the industry shift, and the agentic horizon for TPRM

By Sweta Bhattacharya

n this episode of The Cyber Risk Podcast, SAFE’s Chief Product Officer Saket Bajoria sits down with Vincent Scales, Lead Director of Third-Party Risk at CVS Health, to explore how third-party risk management is crossing a decisive threshold. What began as a regulatory obligation has become a board-level expectation, and now stands on the verge of a fundamentally new operating model powered by Agentic AI.

Vincent brings a deeply practitioner-led perspective shaped by more than a decade of building and scaling TPRM programs across industries. The conversation traces where TPRM started, why it now sits alongside enterprise risk management, and how teams can realistically scale impact in 2026 without scaling headcount.

Watch Vincent and Saket’s discussion on this latest episode of The Cyber Risk Podcast.

Here are the seven most important takeaways from the discussion.

1. Customer Trust Has Become the Strongest Driver of TPRM

Vincent opens by calling out a shift that many teams are feeling but haven’t fully named yet. While regulation once defined the pace and scope of third-party risk programs, it no longer explains why those programs are expanding.

“Regulatory requirements have largely driven the direction of third party risk management over time. But now it’s starting to become customer expectations.”

This changes how effective programs frame their mission. Instead of organizing work around audit cycles, leading teams are orienting their priorities around trust outcomes, what customers, patients, and partners expect when they share data or rely on critical services. When TPRM aligns itself to protecting trust rather than satisfying controls, it becomes easier to explain why certain vendors, risks, and remediation efforts truly matter.

2. External Access Is Now a Core Enterprise Security Consideration

To explain why third-party risk has climbed so rapidly in executive importance, Vincent uses a vivid analogy that resonates across industries.

“It doesn’t matter how strong the moat you build around your castle is… when you let the drawbridge down… that’s where the risk starts to come into your castle.”

This perspective shifts focus away from abstract vendor lists and toward concrete access paths. Programs that are making progress are grounding risk discussions in how vendors actually connect to systems, data, and workflows—and how that access is granted, monitored, and revoked over time. By anchoring assessments to real exposure instead of theoretical risk, TPRM naturally integrates with identity, cloud, and application security efforts.

3. Scaling Without Headcount Is Now Achievable

Vincent highlights a tension nearly every program is facing: importance is rising, but capacity is not.

“There is an acknowledged importance in the minds of C-suite executives and boards of directors… but budgets are not really getting any larger. The problem, however, is getting much larger.”

The programs that are breaking through this ceiling are being intentional about how human effort is used. Rather than spreading people thin across intake, coordination, and document chasing, they are carving out space for judgment-driven work – risk analysis, vendor collaboration, and business engagement – by removing humans from repetitive, high-volume tasks wherever possible. This shift makes scale a design choice rather than a staffing constraint, and redirects limited resources towards more meaningful risk reduction decisions.

4. Agentic AI Unlocks a New Operating Model for TPRM

Against this backdrop, Vincent frames Agentic AI not as an experiment, but as the next abstraction layer for how third-party risk actually operates.

“Agentic AI not just has the potential, but will become the abstraction layer between GRC platforms, TPRM teams and processes, and the people who interact with them.”

What makes this practical is where teams start. Instead of automating judgment, early adopters are using agents to handle front-door workflows – initial outreach, document requests, evidence ingestion, and first-pass analysis. This allows practitioners to step in where context, nuance, and collaboration are required, rather than spending time moving information from one place to another.

5. Reimagine Questionnaires to Improve Speed and Outcomes

Vincent is candid about where frustration surfaces most often in traditional TPRM programs.

“Super long questionnaires… vex and frustrate third parties.”

That frustration is mirrored internally as well.

“They’re thinking, you should know this already. How do you not know this?”

Programs that are improving outcomes are flipping the model. Instead of starting with hundreds of questions, they aggregate what is already known from prior assessments, assurance reports, internal system inventories, and external data, and ask only what is genuinely missing. This respects the time of vendors and internal teams alike, while producing higher-quality answers where it actually matters.

6. Control Discovery Enables Faster, More Meaningful Decisions

Vincent reinforces that questionnaires were always intended to uncover control gaps, not serve as the primary source of truth.

“You’re asking questions to ascertain the presence of controls.”

As assurance artifacts become easier to ingest and map automatically, teams are shifting their focus to discrepancies, exceptions, and context-specific risks. This shortens assessment cycles while deepening insight, allowing practitioners to spend less time validating known controls and more time understanding how those controls apply to real use cases.

7. Proactive TPRM Shapes Better Business Decisions

Vincent closes with a vision of what TPRM becomes when intelligence, automation, and internal context come together: a true business enabler.

“What if there were an extremely high-risk vendor that the business wanted to use, but I could say… Here’s a better-controlled vendor and we can onboard them in two weeks.”

At this point, TPRM stops being a gatekeeper and starts influencing outcomes upstream. When teams have visibility into vendor risk posture, onboarding friction, and control maturity, they can guide the business toward safer choices earlier—supporting innovation while reducing exposure. This is where TPRM becomes a true partner to the business.

From Compliance Function to Risk Partner

This episode makes one thing unmistakable: third-party risk management is entering its Agentic era. As customer expectations rise, ecosystems expand, and teams remain lean, the future of TPRM depends on automation that respects human time, intelligence that scales judgment, and systems that continuously learn.

At SAFE, we believe this shift from manual compliance workflows to autonomous cyber risk management is what will define the next generation of third-party risk programs. The organizations that succeed will not be the ones that do more assessments, but the ones that make smarter decisions, faster, with confidence.

See firsthand how SAFE TPRM is making TPRM’s Agentic future come alive or schedule a 1:1 with a SAFE TPRM expert today!

You can also browse:

• SAFE TPRM in Action Video
• SAFE TPRM Datasheet
• Autonomous Third-Party Risk Management for Manufacturing with SAFE
• Autonomous Third-Party Risk Management for Healthcare Providers with SAFE 
• SAFE TPRM AI Agents