Effective TPRM programs will stop trying to do more and start operating differently.

tprm ASSESSMENT WITH AGENTIC AI

Assessment of a third party with agentic  AI

By Josh Fazio 

As we officially close 2025, many third-party risk management (TPRM) leaders are taking a hard look at their programs and realizing something uncomfortable. I spent 2025 working with TPRM leaders and analysts of all shapes and sizes, and here are some of my takeaways. 

>>Josh Fazio is Global Vice President, Solutions Architects, for SAFE

The big question was, “We did a lot of work this year — but did we actually reduce risk?”

Across industries, organizations invested more time than ever in vendor assessments, questionnaires, ratings, and compliance reporting. Yet many teams ended the year overwhelmed, understaffed, and still struggling to answer basic questions about their third-party exposure.

Here are the biggest lessons 2025 taught us — and what needs to change in 2026. 

Lesson #1: More Vendors Didn’t Mean Better Visibility

Vendor ecosystems continued to grow faster than most TPRM programs could track. Shadow SaaS, decentralized procurement, and rapid onboarding made it difficult to maintain a clean, accurate inventory.

What we saw:

One large enterprise believed it was managing 1,200 vendors. After correlating identity, procurement, and contract data, they discovered closer to 2,000, many with unknown access and no owner.

👉 Lesson: You can’t manage third-party risk if you don’t know who all your third parties are.

Lesson #2: Questionnaires Hit a Scaling Wall

Questionnaires remained the backbone of TPRM in 2025  and also the biggest bottleneck.

Teams spent most of their time:

  • Chasing responses
  • Reviewing boilerplate answers
  • Manually parsing SOC 2 reports
  • Updating spreadsheets

What we saw:

A mid-sized security team was running 400+ assessments a year with no increase in headcount and still missing meaningful issues at critical vendors.

👉 Lesson: Manual assessments don’t scale, and effort does not equal insight.

SAFE’S TPRM solution ranked #1 in product capability in Liminal’s Cybersecurity Third-Party Risk Management Link Index Report. Schedule a demo of SAFE TPRM now. 

Lesson #3: Risk Scores without Context Didn’t Drive Decisions

External ratings and checklist scores were often used as shortcuts, but they failed to answer the questions business leaders actually ask:

  • How critical is this vendor to operations?
  • What data do they touch?
  • What happens if they fail?
  • Has their risk changed over time?

What we saw:

Security teams struggled to explain why a “medium-risk” vendor was actually a bigger concern than a “high-risk” one leading the business to disengage or push back.

👉 Lesson: Risk without a business context isn’t actionable.

SAFE TPRM assessing risk of a 4th party

Fourth-party risk assessment, SAFE One platform 

Lesson #4: Fourth-Party Risk Was the Blind Spot that Finally Surfaced

In 2025, it became clear that managing vendors in isolation is no longer enough.

Organizations increasingly discovered that:

  • Multiple “low-risk” vendors depended on the same cloud, identity, or security provider
  • A single upstream outage or breach could impact dozens of downstream services
  • TPRM programs had no visibility into these dependencies until something broke

What we saw:

Teams scrambling to answer basic questions during incidents:

“Which of our vendors rely on this provider?”

“How exposed are we?”

“Who needs to act first?”

👉 Lesson: Third-party risk is no longer just vendor-by-vendor — it’s ecosystem risk.

Lesson #5: Compliance Pressure Increased, Resources Didn’t

Regulatory expectations continued to rise in 2025 (DORA, NIS2, HIPAA, PCI), but most TPRM teams weren’t given additional people or time.

What we saw:

Teams are rebuilding audit trails from emails and spreadsheets weeks before audits — even though the “work” had technically already been done.

👉 Lesson: Sustainable compliance requires automation, not heroics.

What Needs to Change in 2026

In 2026, effective TPRM programs will stop trying to do more and start operating differently.

Successful programs will:

  • Start with continuous vendor discovery, not static lists
  • Use automation and AI to eliminate low-value manual work
  • Anchor risk in business impact, not just control gaps
  • Treat continuous monitoring as the default
  • Make compliance a byproduct of good risk management, not the goal

How SAFE TPRM Helps Teams Reset for the New Year

This is where SAFE TPRM comes in.

SAFE helps organizations:

  • Automatically discover and maintain a complete vendor inventory
  • Build a continuously updated risk picture across technical, contractual, and third-party data
  • Reduce analyst workload by automating assessments and evidence review
  • Prioritize vendors by true business impact
  • Detect risk drift and fourth-party concentration early
  • Maintain clean, defensible audit trails without manual effort

What we consistently see:

Teams using SAFE can handle significantly more vendors, with clearer prioritization and far less friction, without adding headcount.

Looking Ahead

2025 exposed the limits of traditional TPRM approaches.

2026 is the opportunity to fix them.

The organizations that modernize now will enter the new year with:

  • Better visibility
  • Faster vendor onboarding
  • Stronger risk decisions
  • Less burnout
  • And fewer audit surprises

For TPRM leaders, the question isn’t if change is needed; it’s whether your program is ready to lead it.

SAFE offers autonomous TPRM with agentic AI. Learn more about TPRM at SAFE

Schedule your demo of SAFE TPRM

RELATED POSTS

Blog

Jan 12, 2026

Fourth Party Risk Management: 2026 Best Practices for TPRM

Blog

Jan 7, 2026

SAFE’s 10 Most Popular Blog Posts of 2025

Blog

Jan 6, 2026

The Modern Risk Prioritization Framework for 2026