The landscape of third-party risk management (TPRM) is undergoing a fundamental transformation, driven by an explosion in the number and complexity of external relationships and a new era of heightened, interconnected risks. The traditional model of annual or biennial assessments is proving insufficient. To keep pace, risk leaders are embracing new strategies, with AI and centralization emerging as powerful catalysts for a more proactive, efficient, and effective approach.

The Expanding Ecosystem and the Volatile Risk Environment

In the modern business world, companies are increasingly reliant on a vast network of external partners, from cloud services and SaaS providers to specialized fintechs and supply chain logistics firms (EY, 2025). This expansion, a direct result of digital transformation, has sharply increased the number and complexity of third-party relationships.

Third-Parties and NTTPs: The number of third-party relationships managed by a typical company has risen significantly in recent years (EY, 2025). This is further complicated by the growing reliance on non-traditional third parties (NTTPs) such as strategic partnerships, resellers, and broker-dealers, which are increasingly difficult to monitor. The 2025 EY Global Third-Party Risk Management Survey notes that the number of NTTPs monitored increased by an average of 20% relative to the previous year.

Nth-Party Risks: The concept of third-party risk is now a “misnomer” (EY, 2025). Businesses must now consider nth-party risks—extending due diligence to their third parties’ subcontractors. Nearly two-thirds (64%) of respondents to the survey stated that their diligence includes validating their third parties’ TPRM programs and assessing their subcontractors’ risks (EY, 2025).

Shifting Risk Focus: The external risk environment has become more volatile, interconnected, and non-linear. This has led to a major shift in risk priorities. “Operational risk” has jumped to the top spot among factors considered when monitoring subcontractors, cited by 57% of respondents in the 2025 survey, a significant increase from 40% in 2023. Similarly, “business continuity and resilience” has shown the steepest increase in importance for defining a critical third party, rising from 14% in 2023 to 23% in the current survey (EY, 2025).

AI: A Catalyst for Reinventing TPRM

The sheer scale and complexity of today’s third-party ecosystem make manual, traditional TPRM processes unsustainable. AI is the game-changer, offering not just marginal efficiency gains but a fundamentally different approach to managing risk. While AI adoption in TPRM is still in its early stages—with only 13% of companies having optimized their programs to a “Level 5” maturity—the desire to invest is strong (EY, 2025).

AI can reinvent the entire TPRM lifecycle:

Proactive and Predictive Monitoring: The future of TPRM replaces static, periodic assessments with 24/7, real-time monitoring based on sophisticated data analysis. As seen in the opening story, an AI assistant like Orion can continuously monitor social media, news, and other data sources to predict and alert a human manager to a potential supply chain disruption before it escalates (EY, 2025).

Automating Repetitive Tasks: AI streamlines manual processes like data collection, initial risk assessments, and vendor onboarding, which are often time-consuming and prone to human error. AI models can assess risks and provide objective risk scores based on historical data and predictive analytics (EY, 2025).

Agentic AI and the Future of Due Diligence: The next generation of AI, including agentic AI, has the potential to fundamentally transform interactions. Instead of relying on manual document reviews, AI agents could work directly with agents at third-party organizations to negotiate contracts, ensuring terms are aligned with business objectives and regulatory requirements. After human review, these agreements could even be encoded as smart contracts on the blockchain for transparent, automated monitoring (EY, 2025).

The EY survey highlights the ambition for change, with the top drivers for future investment being “AI/ML capabilities for enhanced due diligence and contract performance/monitoring” (31%), “data-driven approach to monitor third parties” (28%), and “automation of due diligence” (27%) (EY, 2025).

Centralization: Unifying the TPRM Function

Alongside AI, centralization is a key trend in TPRM transformation. Historically, TPRM efforts have been fragmented, with multiple business units and departments conducting their own assessments and using different questionnaires. The 2025 survey reveals that about four in ten companies (43%) still use multiple questionnaires for different risk domains, sending an average of 55 questionnaires per third party (EY, 2025). This fragmented approach creates unnecessary friction and a significant compliance burden.

A centralized, enterprise-wide TPRM program offers numerous benefits:

A Holistic Risk View: Centralization allows an organization to connect the dots across different risk verticals, such as cybersecurity, financial health, and operational resilience. A centralized approach helps a company see the “big picture” and avoid fragmented, siloed risk assessments (EY, 2025).

Increased Maturity: Organizations with centralized TPRM structures show greater maturity in key areas compared to those with hybrid structures. This includes third-party inventory (58% centralized vs. 39% hybrid), risk models (51% vs. 36%), and assessment methodology (49% vs. 33%) (EY, 2025).

Efficiency and Coordination: Centralization reduces duplicative efforts and friction points with third parties. A coordinated, streamlined outreach replaces multiple, redundant requests, leading to a better user experience (56%), increased understanding of risks (52%), and data completeness and accuracy (51%) (EY, 2025).

The emergence of AI provides the perfect opportunity to accelerate this centralization journey. AI-powered platforms can serve as a centralized control tower, aggregating data and providing a single, holistic view of risk across the entire enterprise. This synergy between AI and centralization is the key to managing risk in a more effective, proactive, and resilient way.

Actions for Risk Leaders

To navigate this transformation, risk leaders must take decisive steps:

Focus on the Enterprise: Shift from a narrow, vertical-specific view of risk to a holistic, enterprise-level approach. This requires understanding how third-party risks impact overall business objectives and aligning different business units, from Procurement to Cybersecurity, under a common risk management framework.

Invest in AI Readiness: While AI adoption is still low, the ambition is high. Bridging this gap requires a thorough assessment of existing processes, improving data quality and governance, and upskilling the workforce. Leaders must prepare their organizations for the next waves of AI by monitoring trends and investing in the necessary infrastructure.

Question Assumptions and Accelerate Tipping Points: The pain and cost of manual third-party risk assessments are increasing with the swelling number of relationships. This is changing the economics of AI adoption, making the financial incentive to invest in automation greater than ever. Leaders should question old assumptions and recognize that the “cloud-first” paradigm will soon be a “AI-first” paradigm for TPRM (EY, 2025).

References

EY. (2025). How AI navigates third-party risk in a rapidly changing risk landscape. Available at: https://www.ey.com/en_gl/insights/consulting/how-ai-navigates-third-party-risk-in-a-rapidly-changing-risk-landscape (Accessed: 8 September 2025).