The Cyber Risk Podcast: Why Third-Party Risk Is an Insider Threat in Disguise

Most organizations still approach TPRM with outdated models and checklists.

By Sweta Bhattacharya

Third-party risk isn’t just a checkbox on a compliance checklist, it’s one of the most active insider threats enterprises face today. In Episode 8 of The Cyber Risk Podcast, Resha Chheda, VP of Product Marketing at Safe Security, sits down with Hardik Mehta, Global Head of Risk and Regulatory Compliance at JPMorgan Chase (formerly Head of Cyber Risk at Uber), to unpack the evolving threat landscape of third-party risk management (TPRM).

With 20 years of experience across global organizations, Hardik explains why today’s vendors often have more access than employees, how traditional risk models are failing, and why AI-driven vendor management needs a balance of automation and human oversight.

Three things fundamentally broken in TPRM today

Hardik points to three structural problems with how companies approach third-party risk:

1. Vendors prioritize features over security – Many suppliers ship fast but compromise security by design.
   
2. Lack of collaboration on access and interconnected systems – Vendors rarely minimize access voluntarily or alert clients when their privileges exceed safe levels.
   
3. Outdated risk models – Legacy risk registers and manual GRC processes can’t keep pace with real-world attacks. “The traditional risk models are completely out the window. Are you iterating on your risk models? Are you quantifying things better so your board understands the impact in dollars and business terms?”

Without quantification and prioritization, third-party risk programs remain administrative exercises instead of security-critical defenses. 

Top 5 takeaways from this episode of the Cyber Risk Podcast

1. Third-party risk is no longer point-in-time—it’s real-time

Traditional vendor risk assessments were once annual checklists. But as Hardik explains, that approach is obsolete in today’s cloud-first, AI-driven, always-on world.

“The risk register, which was traditionally looked at once a year, is completely out the window. Now we are talking real-time risk with AI coming in, non-human accounts coming in, and the way vendors do business with us has completely changed.”

For enterprises, this means static assessments create a false sense of security. Attackers exploit the continuous and dynamic nature of vendor relationships, while organizations still operate on outdated review cycles. Hardik urges a deliberate shift towards real-time, risk-based TPRM.

2. Treat vendors as insiders

Vendors are no longer on the periphery—they’re inside the enterprise. Many now receive privileged access levels that go beyond what internal staff have.

“The vendors now are not only getting least-privileged access, but sometimes the highest privilege parameters as soon as they get onboarded—because ramp-up time is too short, or the service needs to be 24/7. That fundamentally changes the insider threat model.”

This creates a dangerous paradox: organizations invest heavily in internal identity controls, while third parties bypass those same guardrails with excessive access rights.

According to Hardik, the solution is not more paperwork, but a mindset shift: vendors must be treated as extensions of the enterprise’s workforce.

“The modern philosophy is to treat your vendors with the same rigor, the same governance mechanism, and hold them accountable as they are your own.”

That means applying zero-trust principles, frequent access reviews, aligning vendor controls with your own common control framework (e.g., MITRE + NIST CSF), and automating oversight where possible. Anything less leaves organizations blind to insider-like risks.

3. Flip the GRC model—start with risk appetite, not checklists

Hardik challenges the traditional approach of embedding TPRM within GRC tools as a lifecycle process. Instead, he advocates for flipping the model:

“Design the risk profile. Design your risk appetite. Understand your services and risk thresholds first. Then integrate that with a GRC engine and use risk quantification levers to drive decision making.”

This inversion allows organizations to align vendor oversight directly with business-critical risk, rather than drowning in administrative noise.

4. AI in vendor management: promise and peril

AI will transform TPRM, but Hardik cautions against blind reliance.

“AI vendor management is going to be the next big thing. But if you completely believe what AI outputs without human oversight, you’ll increase reliance on flawed data and create bigger risks.”

The right balance is AI-powered autonomous TPRM plus human rationalization – human-in-the-loop, especially for high and critical vendors. An ideal TPRM program will eliminate manual overload and empower TPRM teams to focus on actual risk reduction.

5. Don’t rush vendor selection—scores aren’t enough

In his closing advice, Hardik warns against rushing into vendor contracts based on flashy promises or simplistic scores.

“Do not rush in hiring a vendor because they promise every feature—especially in this AI space. Don’t just rely on SOC reports or risk scores. Do your due diligence. Look at their threat models, cloud exposure, and align their risk threshold with yours.”

A scorecard may say a vendor is “green,” but without deeper analysis, enterprises risk outsourcing security blind spots that lead to regulatory fines and reputational loss. Look at TPRM solutions that shine the spotlight on “risk” and business impact instead of arbitrary scores and check-in-the-box compliance efforts. 

Final thoughts

Third-party risk management is no longer an administrative compliance function—it is core to enterprise resilience. As Hardik Mehta highlights, the problem isn’t that TPRM is “hard to solve.” It’s that most organizations are still approaching it with outdated models and checklists. Watch the Cyber Risk podcast now.

SAFE helps organizations flip that paradigm with autonomous TPRM powered by Agentic AI. We quantify third-party risk in business terms, continuously monitor risks, and prioritize remediation where it matters most. With SAFE, enterprises can move beyond vendor questionnaires and truly treat third parties as insiders—measured, monitored, and managed with rigor.Learn more about how SAFE transforms Third-Party Risk Management by test driving it today.