Financial institutions are facing an unprecedented challenge as artificial intelligence (AI) emerges as a top third-party risk concern, according to the 2026 State of Third-Party Risk Management Survey by Ncontracts. This shift highlights the industry’s readiness to embrace AI while grappling with the complexities and uncertainties it brings.
AI Risk Ranks Parallels Cybersecurity Concerns
For the first time, AI risk has been ranked alongside cybersecurity as the top third-party concern among financial institutions. This shift is significant as 72% of institutions admit they are only partially aware of which vendors use AI, and not a single organization feels extremely confident in managing AI risk. The growing sophistication of AI technologies and their integration into various business processes have increased the potential for both operational and reputational risks.
Large organizations, with 5,001 or more employees, are the most affected, falling into the lowest confidence tiers despite their size and sophistication. This suggests that existing third-party risk management (TPRM) frameworks have not yet been adapted to address the unique complexities of vendor AI. The report indicates that the organizations that will lead the pack are those that invest in technology, processes, and metrics to scale their TPRM programs effectively.
TPRM Programs Struggle with Resources and Scale
The survey reveals that TPRM programs are stretched thin, managing hundreds of vendors with limited resources. Nearly two-thirds (63%) of TPRM programs operate with just one or two dedicated full-time employees, and 13% have no dedicated staff at all. More than half (53%) manage 300 or more vendors, creating ratios where individual professionals are responsible for 100 or more vendor relationships. This situation underscores the need for a more robust and scalable TPRM framework that can handle the increasing complexity and volume of third-party relationships.
Michael Berman, founder and CEO of Ncontracts, emphasizes the need for TPRM programs to evolve. “TPRM programs are being asked to do more than ever — more vendors, more risk types, more complexity — with teams that haven’t kept pace,” he says. “The organizations that will pull ahead are those investing now in the technology, processes, and metrics that let their programs scale and demonstrate value.”
Technology Adoption Creates a Compliance Divide
The adoption of technology in TPRM has created a significant divide in compliance effectiveness. Just 10% of institutions still rely on spreadsheets, down from 13% in 2025, as nearly 87% now use TPRM software. The gap in compliance outcomes is stark: manual process users are 71% more likely to receive exam findings and report 50% lower satisfaction with their tools. This highlights the importance of leveraging advanced technology to streamline processes and enhance the accuracy and efficiency of TPRM programs.
The survey also found that mature TPRM programs view the function differently than those with no processes in place. Among organizations with no processes, 67% view TPRM as little more than a compliance formality, a figure that drops to just 13% among the most mature programs. This suggests that a more strategic and proactive approach to TPRM can lead to significant value across the organization.
Key Findings and Takeaways
- AI risk has emerged as a top third-party concern, ranking alongside cybersecurity.
- Large organizations are least confident in managing AI risk.
- TPRM programs are stretched thin, managing hundreds of vendors with limited resources.
- Technology adoption is critical for compliance effectiveness.
- Mature TPRM programs demonstrate higher value across the organization.
Expert Insight
“The emergence of AI as a top risk concern is a wake-up call for the financial industry. It’s clear that traditional TPRM frameworks need to evolve to address the unique complexities of AI risk. Organizations must invest in technology, processes, and people to ensure they are equipped to manage this evolving landscape effectively.”
— Michael Berman, Founder and CEO, Ncontracts
Conclusion
The Ncontracts 2026 State of Third-Party Risk Management Survey underscores the critical importance of AI risk in today’s financial landscape. As AI continues to permeate various aspects of business operations, financial institutions must prioritize the development and implementation of robust TPRM programs. By investing in technology, processes, and expertise, organizations can better manage the risks associated with AI and ensure the integrity and resilience of their operations.
Source: www.morningstar.com
This article was AI-assisted and reviewed by our editorial team.
