Collision Course: The Inevitable Convergence of Third Party Risk and Exposure Management

Audio Recap

In February 2024, a ransomware attack on a critical player in the US healthcare infrastructure sent shockwaves through the US and globally. Pharmacies were unable to process prescriptions using patients' insurance, leading to delays in medication dispensing and highlighting the fragility of the healthcare supply chain. Hospitals and medical offices faced severe operational disruptions, struggling to provide patient care, submit insurance claims, and receive payments. The American Hospital Association called it "the most significant and consequential incident of its kind against the US health care system in history." 

This incident underscored a stark reality: in our interconnected digital ecosystem, a single point of failure in a third-party vendor can cascade into a nationwide, and global, crisis. Patrick Opet, Chief Information Security Officer at J.P. Morgan Chase, said it best in his Open Letter to Third Party Suppliers:

“The modern ‘software as a service’ (SaaS) delivery model is quietly enabling cyber attackers and – as its adoption grows – is creating a substantial vulnerability that is weakening the global economic system.”

Traditional third-party risk management approaches, reliant on periodic assessments and static controls, are proving time and again inadequate in the face of such dynamic threats. The world changed. Perhaps how we think about managing third party risk should change as well.

Challenge 1: The expanding digital attack surface

The cybersecurity landscape has been fundamentally reshaped by the rapid expansion of the digital attack surface. Organizations now rely on hybrid and cloud-first infrastructures, remote workforces, and an ever-increasing array of connected devices. This complexity introduces new and uncharted vulnerabilities. Every employee working from home, every new SaaS application, and every connected endpoint becomes a potential entryway for threat actors. 

The Gartner Report, Innovation Insight: Attack Surface Management, found that only 17% of organizations can clearly identify and inventory a majority (95% or more) of their assets. Many of these organizations continue to deploy partial tools or manual processes to simply inventory, let alone assess, their growing footprint. 

But among the most critical contributors to this growing exposure is the reliance on third parties. Bitsight TRACE Research found that the modern enterprise manages dozens of providers and hundreds of products. Some of the largest enterprises manage tens of thousands of third parties. This is not to mention the suppliers of those suppliers.

Vendors, partners, service providers, and contractors form an interconnected digital ecosystem that extends an organization’s boundaries well beyond the firewall. While these relationships are essential for agility and innovation, they introduce incredible risk that traditional models struggle to govern.

Challenge 2: The rise of AI-driven threats and the democratization of cybercrime

As the attack surface has exploded, so has the capability of adversaries. Threat actors are increasingly leveraging artificial intelligence to automate reconnaissance and craft sophisticated campaigns to bypass traditional defenses.

Bitsight TRACE’s 2025 State of the Underground highlights just how widespread the challenge has become. Ransomware attacks grew by 25%. Stolen credentials available on the dark web grew by over 34%. Underlying the challenge is this ‘democratization of cyber crime.’ Creating your own ransomware group, shopping for data breach information to exploit, or building your own stealer technology is both simple and lucrative. Unique data breach information shares grew by 43% while the number of ransomware groups grew by an incredible 53%. 

Simply put, it has never been easier to be bad.

This sprawl of cybercrime changes the equation. Cyber risk is no longer something that evolves over months; it is fluid and real-time. It renders static frameworks for annual or quarterly checks obsolete a few minutes after they are stamped for approval. 

This is never more apparent than through the lens of managing third party risk. The 2025 Verizon Data Breach Investigation Report found that a staggering 30% of breaches were linked to third-party involvement. Even more alarming is the rate of growth of these incidents: more than twice as much as a year ago! 

Something is not working.

TPRM: From governance to exposure management

Traditional Third-Party Risk Management (TPRM) was built for a different era. Rooted in periodic assessments, spreadsheets, and static frameworks, it reflects a governance mindset that is woefully insufficient in today’s threat environment. Risk managers often operate on timelines measured in weeks or quarters, while attacks can occur and escalate in seconds.

This disconnect has rendered traditional TPRM inefficient at best, and in many cases, ineffective at all.  A recent Ponemon Institute study revealed that only 36% of organizations are confident their TPRM programs can effectively mitigate third-party risks in real time. Bitsight’s Cyber Risk Intelligence Global Survey found that only 1 in 3 enterprises continuously monitor all of their third-party relationships for risk exposure.

While there continues to be this need for compliance management, there is now an additional, and perhaps more pressing imperative, for exposure management, vulnerability assessment and mitigation. 

The old approach asked: "Is this vendor compliant with our policies?" Forward-thinking CISOs and security teams are now asking: "Is this vendor exposed right now?" 

The future of third-party risk lies in transforming governance-centric TPRM into real-time exposure management. Third Party Risk and Exposure Management. 

A new model: Third-Party Risk and Exposure Management 

The change requires a shift. A shift in architecture. A shift in teams. And most importantly, a shift in mindset.

“There is no longer a difference between first and third party risk … it’s all the same. Managing exposure in the supply chain is every bit an operations problem as it is a governance one.” 

What was once relegated to the compliance team is now square in the sights of the Security Operations Center. And the maddening question those operators are trying to answer is this: 

“How do I fix what isn’t mine?”

The answer is a combination of three intelligence engines—integrated, correlated, and contextualized—and unlocked through AI. 

• Exposure data and vulnerability data
• Real-time threat intelligence
• A vendor network and community

Contextualized data on assets and exposure 

Security teams need comprehensive, real-time visibility into the assets and digital footprint of every third party, not just the ones they work with the most. If the bad guys can see it as a way to get in, so should you. This includes IP ranges, cloud infrastructure, web applications, misconfigurations, and vulnerabilities. It extends beyond the third parties and to the 4th, 5th, and nth parties that have the potential to disrupt operations. 

But context on this data is everything, separating the wheat from the chaff. Where is it? What is it? How important is it? Context is the cornerstone of prioritization. And more importantly, the foundation of prediction. And in a world of seemingly infinite alerts—where the best we can hope for is mitigation, not remediation—prediction and prioritization are the hallmarks of great security programs.  

Threat intelligence that makes data actionable

Exposure data alone—no matter how comprehensive and contextualized—is still insufficient without actionability. Knowing that a vendor’s web server has an unpatched vulnerability is useful. But knowing that the same vulnerability is being actively exploited by a ransomware group targeting your industry? That’s actionable intelligence. 

This is where threat intelligence becomes a critical force multiplier in third-party risk and exposure management. It provides the "so what" behind raw data, transforming a long list of misconfigurations and CVEs into a prioritized set of risks aligned to actual threat activity.

Modern threat intelligence offers insights into emerging attacker techniques, active campaigns, exploit trends, and adversary infrastructure. When integrated with third-party exposure data, it allows security teams to distinguish between theoretical risk and imminent threat. For example, if multiple vendors in your ecosystem share a vulnerability currently exploited by a nation-state group, your response timeline must shift from “within the next quarter” to “by the end of the day.”

Moreover, threat intelligence enables organizations to tailor their defenses to specific threat actors and industry-relevant attack vectors, instead of relying on generalized controls. According to Forrester, organizations that integrate threat intelligence into their operational workflows are 30% more likely to respond to incidents within 24 hours, significantly reducing dwell time and the potential blast radius of third-party compromise.

A network of vendors and a shared platform

Organizations invest heavily in building their own robust security controls: undergoing SOC 2 audits, aligning with ISO/IEC 27001 standards, and maintaining libraries of artifacts and attestations that reflect their commitment to protecting data. But these certifications often live in silos—shared inefficiently, inconsistently, and one vendor at a time. A network and shared platform changes that. It enables companies to create once and share with many, reducing friction in the assessment process, and headaches for those charged with managing it. 

This network goes beyond sharing static documents and annual assessments though. Managing third-party risk is no longer a solitary pursuit. We are hyperconnected and in desperate need of a community where vendors can collaborate in real time, exchanging threat insights, exposure data, and remediation efforts. A shared, connective ‘tissue’—enabling companies to break out of isolated workflows and into a networked approach to risk management.

This concept mirrors the foundational vision behind Information Sharing and Analysis Centers (ISACs), which have long served as critical hubs for cross-industry threat intelligence exchange. But while ISACs operate as centralized entities, the next generation of TPREM must be more dynamic, decentralized, and vendor-centric. Think of it as a “living ISAC” formed organically across your extended vendor network—not just sharing generic threat advisories, but continuously synchronizing real exposure data, active indicators of compromise, and the specific actions each party is taking to mitigate shared risk.

This level of shared visibility and coordination is what transforms traditional TPRM from a governance checklist into an active, adaptive defense system. Rather than chasing information across disparate systems and manually assessing each vendor, organizations can leverage platform-driven insights to prioritize action, accelerate mitigation, and ultimately build a resilient and responsive digital supply chain.

Evolving security frameworks: From compliance checklists to intelligence engines

At the heart of this transformation lies the security framework itself. Long treated as a static mechanism for regulatory compliance, today’s frameworks must become dynamic, intelligence-driven systems—capable of adapting to real-time conditions and guided by insights from security operations teams. 

Traditional control checklists and annual audits are necessary, yet insufficient in a landscape where attackers pivot in hours and where a third party’s compromise can ripple globally. These frameworks must evolve to become the nexus of security, compliance, AND operational decision-making—continuously updated with exposure data across vendors and suppliers and integrating real-time threat intelligence. Informing both strategic governance and tactical response. This shift transforms frameworks from passive guardrails into active security engines—not just measuring risk, but continuously managing it.

The catalyst: AI

This shift toward real-time, intelligence-driven third-party risk and exposure management wasn’t possible even a few years ago. The scale, speed, and complexity of today’s threat landscape—spanning thousands of vendors, assets, and attack vectors—demanded more than human capacity alone can manage. But Artificial Intelligence is rapidly bringing this new model to life. By automating vendor assessments, continuously triaging exposure data, correlating risk with threat intelligence, recommending remediations, and even generating and routing workflows, AI enables security and risk teams to operate at machine speed.

And while AI is powerful, it is not THE answer—it is the key that unlocks the answer. Without trustworthy, real-time data about third-party assets and vulnerabilities, AI is forced to autonomously reason with incomplete or outdated inputs. Without context about the business (i.e. the relationship, its own security program, its software and controls) AI is left to draw its own conclusions about what is or is not important. Without threat intelligence informing AI decision-making—includng what’s being exploited, by whom, and against which targets—AI cannot distinguish between hypothetical and imminent risk. And without a network of participants to act on shared signals, even the most sophisticated AI-generated workflows fall short of crossing the chasm of effectiveness. 

AI can accelerate the journey, but it cannot define the destination. And it most certainly is not the destination itself. We see ‘AI for AI’s sake’ far too often in this rapidly evolving market and sometimes lose sight of one of the things that makes AI so powerful. Its value is dependent on the quality of the signals it processes, the relevance of the context it understands, and the actionability of the ecosystem it supports. To truly modernize TPRM, organizations must not just deploy AI—but empower it with the infrastructure to make decisions that matter, and the community to act on them.

A new era built on timeless fundamentals

As the nature of cyber risk evolves—fueled by third-party dependencies, cloud complexity, and AI-enabled adversaries—it’s easy to feel like the ground is shifting beneath our feet. And in many ways, it is. The scale and speed of modern threats have outpaced the tools and practices many organizations still rely on. Static assessments, quarterly reviews, and disconnected governance frameworks simply can’t protect a dynamic enterprise in real time.

Yet for all this change, one truth remains: the fundamentals still matter. Visibility, context, prioritization, collaboration—these have always been the foundation of effective cybersecurity. What’s changing is our ability to execute on those fundamentals at speed and at scale.

Artificial intelligence is not replacing security teams—it’s elevating them. It’s automating the time-consuming tasks that once delayed action. It’s surfacing critical insights buried in noise. And it’s connecting siloed systems and teams into a coordinated response engine. But AI is only as good as the ecosystem it serves. Without high-quality exposure data, intelligent threat context, and a shared platform for action, AI becomes just another workflow tool—efficient, but empty.

The opportunity before us is not just to modernize TPRM, but to reimagine it. Not as a static, check-the-box governance exercise, but as a living, breathing capability rooted in security fundamentals and supercharged by technology. The future of third-party risk management isn’t about changing what security teams do—it’s about empowering them to do it better than ever before.