From AI Hype to Practical Action: Why a Scalable TPRM Program Is Your First Line of Defense

5 tips to keep headcount down with agentic AI, translate vendor risk to financial terms with CRQ, and more.

SAFE TPRM Dashboard

By Meghan Maneval

The energy at the recent ISACA Europe conference in London was electric. The halls buzzed with discussions on everything from ransomware payments to quantum computing. Yet, no matter where you turned, the conversation was dominated by one topic: Artificial Intelligence. 

As keynotes predicted seismic shifts in AI usage and deep-dive technical sessions explored the mechanics of new AI threats, a core truth emerged: AI risk is no longer theoretical; it’s an immediate, critical organizational problem.

SAFE  had the privilege of contributing to the conversation in two key sessions showcasing how to modernize your TPRM program and AI oversight processes for this new reality. 

Here are the five key lessons we took from this inspirational event, complete with immediate actions you can take to secure your organization for the future. 

Five Key Lessons

1- Map Your Exposure: It’s Hidden in Your Third Parties

AI systems are inherently different from traditional technology. They are dynamic, adaptive, and opaque, introducing new risks like model bias, data governance gaps, and compliance failures. While many companies believe the biggest risk comes from building AI, the far wider and faster-moving threat is in the supply chain. It seems like every vendor, from HR platforms to code repositories, is using AI. And that extends risk far beyond traditional attack surfaces. 

 Meghan Maneval (image right), Director of Community and Education at SAFE, presented at the 2025 ISACA Europe Conference in London on Auditing AI for Beginners.

One session, presented by Sanaz Sadoughi, Senior Risk Officer for The World Bank, Mary Carmichael, Director, Risk Advisory at Momentum Technology, and Hayriye Cinar, IT Consultant and Founder, Pinkuno IT Ltd, showcased the global perspective on Third Party AI, noting that one of the most immediate and impactful steps organizations can take is updating third-party risk management processes to assess exposure throughout the vendor lifecycle. 

“Every vendor is now an AI vendor, knowingly or not. Visibility is the first defense. Map AI across your ecosystem, verify vendor claims with evidence, and apply governance proportional to the risk.” Mary Carmichael, Director, Risk Advisory at Momentum Technology

Take Action: Don’t wait for vendors to volunteer information. Automate vendor discovery and use a risk-based tiering approach to prioritize and contextualize risk. Implement mechanisms to automatically scan contracts for governance clauses before the contract is signed or renewed to ensure the process remains scalable. 

2- Ditch Static Assessments: TPRM Must Be Continuous

Paul Chadwick’s session confirmed what every practitioner fears: spreadsheet-based, annual assessments are dead. They are too slow and too resource-intensive to manage an environment where a vendor’s risk posture can change daily.

“To gain full visibility and drive meaningful reduction in third-party risk, organizations need to move beyond static assessments to continuous, risk-quantified monitoring that tackles the dynamic nature of their environment.” – Paul Chadwick, Senior Solutions Architect, SAFE

Take Action: Augment traditional questionnaires with outside-in, inside-out, and public data scanning. Implement continuous monitoring to identify vendor exposure and breaches, including real-time alerts for control gaps with treatment plans. And be sure these capabilities extend to fourth parties and beyond. 

SAFE One Platform: Vendor assessment with Agentic AI 

3- Increase Coverage without Increasing Headcount: Fight AI Risk with AI Agents

Most organizations recognize that increased third-party oversight is necessary, but few have the budget or resources to do so. As much as AI is the source of this challenge, it is also the solution. To scale TPRM programs without increasing headcount, organizations must enhance their use of AI throughout the vendor lifecycle. 

A walk around the vendor hall revealed one clear truth: SAFE stands alone in our ability to deliver that future. With each conversation, the team was able to showcase our groundbreaking suite of AI agents and ability to automate nearly the entire vendor lifecycle, from discovery and tiering to SOC2 analysis and breach notifications. 

Take Action: Take the SAFE TPRM solution for a test drive and assess up to 10 vendors for free. See how you can deploy agentic AI throughout the vendor lifecycle to automate time-consuming manual processes. Our AI agents act as a force multiplier, transforming security teams from evidence collectors into strategic business partners.

4- Quantify Risk in Dollars, Not Colors

My session reinforced that auditing AI isn’t about catching something wrong; it’s about learning how the system works so we can help it do the right thing. Security teams are often so focused on patching vulnerabilities and closing findings that they fail to connect the technical issues to the business impact. But AI governance doesn’t have to be a brake pedal! As my fellow presenters echoed, the right controls can accelerate your organization into the future. 

With AI governance, you aren’t starting from scratch, but it’s also not a carbon copy. You probably already have some risk management and quantification processes in place. Use those, but add additional checks and balances

Take Action: Adopt a Cyber Risk Quantification (CRQ) model that translates vendor exposure into concrete financial terms. This empowers business owners to make fast, risk-informed vendor choices because they can clearly understand the business impact.

5- Aggregating Risk to Achieve Singularity

Ultimately, monitoring risk in the supply chain is an exercise in visibility. Your TPRM program can’t live in a silo; it must be a pillar in your organization’s holistic risk management strategy. When feasible, it should consider recognized frameworks and guidelines. The UK Government recently published the proposed Cyber Governance Code of Practice, which reflects many of ISACA’s recommendations. These recognized digital trust standards give organizations a foundation to build a scalable program.

When you take a step back and consider the bigger picture, AI agents are just like humans, but faster. That means your controls and monitoring must be enhanced to keep up. 

Take Action: Integrate TPRM workflows with enterprise cyber risk management processes to achieve risk singularity. This level of continuous oversight is necessary to ensure organizations can automatically discover, prioritize, and remediate risk, including the emerging risk introduced by AI.

Taking the Next Step: Try Agentic TPRM in Action for Free

The biggest challenge in the age of AI isn’t the technology itself; it’s the maturity of the risk management programs built to govern it. At SAFE, we’re making that future a reality today. Recognized as a leader in CRQ by Forrester and #1 in TPRM product capability by Liminal Research, SAFE is on a mission to transform cyber risk management. Ready to take the next step? Schedule a demo today