Search Results

Third party risk management (TPRM) is a comprehensive process that involves identifying, assessing, managing, and continuously monitoring the risks faced by your organization and its customers due to business relationships with external vendors, suppliers, and service providers. In the past few years, TPRM has evolved beyond just managing direct relationships with your third parties; it now also includes identifying, assessing, and mitigating risks related to fourth-party or Nth-party relationships—essentially, the vendors of your vendors and beyond. This layered approach is crucial, as risks within the supply or service chain can propagate through your third parties, potentially impacting your organization unexpectedly. Common risks include information security vulnerabilities, operational disruptions, compliance issues, financial concerns, and reputational risks.  To illustrate what fourth and nth party relationships are, imagine your organization is utilizing a third party customer service call center experiencing an outage with its call management software provider (your fourth party). Even though you do not have a contract with the vendor providing the call management software, this outage can still lead to operational disruptions for your organization, resulting in service delays and dissatisfied customers. Consider another scenario where that same software provider suffers a data breach from their contracted data center (your Nth party), ultimately impacting your customers' data. In both situations, the issues do not originate directly from your third party, but rather from their vendors (and the vendors of those vendors) who are engaged to deliver products and services to your organization.   Just thinking about fourth and nth-party risks can be overwhelming, especially as the risk landscape seems to grow with each additional layer of a relationship. And many regulatory requirements now include effectively identifying and managing these risks. However, there is no need to panic. There are effective strategies you can implement to address them, even with limited resources.  How To Manage Fourth- and Nth-Party Risks  It's essential to recognize that managing all fourth-party and nth-party risks is neither feasible nor practical. Your organization has limited time and resources. And, you do not have direct contracts with these fourth and nth parties, so they are not legally obligated to you. Furthermore, your visibility into their operations may be limited, making oversight difficult. A strategic approach is essential, so defining what "managing" these risks entails and how it is implemented in practice is important. For many organizations, this means identifying where fourth-party and nth-party risks exist and ensuring that the third party manages those extended relationships effectively.   Consequently, having strong third party risk management practices at your organization is crucial for success. This includes conducting thorough risk assessments, assigning risk ratings, identifying critical vendors, performing due diligence, establishing contracts, and implementing continuous monitoring. These processes are vital for effectively identifying and managing fourth-party and nth-party risks.  Take a stepwise approach and start with your own critical third party vendors and service providers. Critical third parties are those relationships that can seriously impact your operations if there should be a business interruption. Critical third parties are those that access, process, transmit, or store Personally Identifiable Information (PII) or confidential data, or any vendor or service provider that interacts with your customers. Targeting your critical third parties first can help you narrow your scope and concentrate on where the most significant risks are.   Build your 4th and nth party inventory  Once you have your list of Critical third parties, you’ll need to understand which of their vendors and service providers are essential for delivering products and services to you, or those that could cause regulatory issues or customer dissatisfaction.  Here are some tips for accomplishing that task.  Ask your third parties to list their critical vendor and service provider relationships.  This should be a requirement in your critical third party contracts, but if it isn’t, schedule a meeting to discuss your objectives and criteria so they can report back to you. Ensure they provide the organization’s name, location, and product or service. It’s also important to ask if they have additional relationships through their vendors (your nth parties) that can impact your organization or its customers.  Check your critical vendors’ third party SSAE 18 (SOC reports)  to find relevant fourth-party vendors. Look in the “Subservice Organizations” section for this information. These vendors provide the controls needed to meet your third party’s system requirements or commitments to you.  After you have identified these fourth and nth party relationships, keeping the inventory current and organized is essential. Remember to look for fourth and nth parties servicing more than one of your third parties. For example, if all your cloud, data, and analytics providers are using AWS, you may need to consider and address that additional nth-party concentration risk.  Review Your Vendor’s TPRM Policy And Practices  You must rely on third parties to effectively manage their vendor and service provider relationships. A key aspect of successfully addressing third party risk is understanding how your vendors and service providers are managing their third party risks. Never assume that they have it under control. You must see evidence that their TPRM practices meet your requirements. Always review the following:  Policy : Review their internal third party or vendor risk management policy. Is it comprehensive? Does it clearly outline roles and responsibilities? Who is ultimately accountable for TPRM? Does the policy address each part of the TPRM lifecycle?  Risk assessments: Request their inherent risk assessments, risk ratings (including the methodology for rating), how they define critical risks, and the frequency of risk assessments conducted.  Due Diligence : Request real examples of due diligence conducted on critical third parties and review the vendor risk control assessments provided by qualified subject matter experts.  Contracts: Understand if minimum contract terms and conditions are utilized to reduce or mitigate risks. Ensure that there are legally binding contracts that are managed appropriately for critical 4th and nth parties. Ongoing Monitoring : Ask about their requirements for ongoing monitoring. Confirm if they are performing both risk and performance monitoring for their vendors. Ask for proof of monitoring and see if there have been any incidents or performance failures. Issue Management : Inquire about the processes for managing issues, which include reporting, remediation, and escalation related to TPRM. When you understand how your third parties manage vendor relationships and can see proof of effective and timely processes, you will be able to address nth-party risk more confidently.  Update your contracts  It is essential to recognize that your organization relies heavily on third parties to identify and manage risks associated with fourth and nth parties. If your current third party contracts do not require the disclosure of critical nth parties or do not include provisions for managing third party risks, it may be time to amend those contracts. If immediate changes aren't feasible, it's crucial to document the necessary improvements so your organization can effectively negotiate them before renewing the contracts.  Monitor nth party risk.  Like other risks, you need to stay aware of third-party and fourth-party risks that could impact your organization or its customers. You should require your third party vendors to provide monitoring information about their vendors and service providers, and review this information regularly, especially if any issues have arisen. Ensuring that you receive proof of remediation for these issues is essential. Additionally, consider utilizing risk intelligence services to monitor critical or high-risk fourth and nth parties.  In conclusion, although addressing fourth and nth-party risks may seem complex, they become more manageable with a strategic approach. By focusing on your critical third parties, building an inventory of their essential vendors, and requiring them to uphold robust TPRM practices, you create a solid framework for proactively identifying and mitigating risks. Committing to continuous monitoring and maintaining open communication with your third parties will enable you to identify and address the risks in your service or supply chains more effectively.

Introduction   In the modern business landscape, Third-Party Risk Management (TPRM) has become a focal point for organizations aiming to safeguard their operations. While much attention is given to assessing and managing the risks associated with third-party vendors using questionnaires, Boards of Directors are asking CISOs what the business is doing to protect the organization from third parties. Access Management in Complementary User Entity Controls (CUECs) is a crucial internal control often overlooked by TPRM when performing asses sments. Additional access protections are available through the organization’s implementation of a Zero Trust strategy  and utilizing Artificial Intelligence (AI) and Machine Learning (ML) applications.  Access Management in Complementary User Entity Controls (CUECs)  CUECs represent the controls that service providers expect you (as the customer) to implement to complement their own control environment. In the context of third-party management, these controls are crucial for maintaining a secure and effective relationship. Critical access management CUECs that organizations often overlook when managing third parties include the following:  Access provisioning and deprovisioning controls : According to a Black Kite study, 54% of all third-party breaches were due to unauthorized network access. ( 1) Monitoring of third-party activities : According to a Ponemon Institute study, only 34% of organizations effectively monitor third-party access to critical systems. (2)  This creates significant blind spots in security posture. Regular reassessment of third-party access needs : A Wiz Research study indicates that 82% of companies unknowingly provide third-party vendors with highly privileged roles. (3) Validation of CUEC controls : Conventional CUEC validation, if performed, focuses only on control existence and design effectiveness but not control operation and operating effectiveness, creating a false sense of security. Access Management in a Zero Trust Strategy  Zero Trust is fundamentally about “never trust, always verify” – a principle that can significantly enhance the protection of an organization's network and systems when granting third-party access. The implementation of Zero Trust requires a shift away from the traditional security models that rely on perimeter defenses and instead focus on securing individual assets and data. Traditional models grant broad network access once a user is authenticated; however, Zero Trust gives only the minimum access needed for a task. (4)  Zero Trust identity and access management controls are implemented using a risk-based approach and may include the following:  Multi-factor authentication (MFA): Third-party users are required to authenticate using at least two factors (something they know, have, or are). According to Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, MFA can stop 30% to 50% of account compromise attacks. (5)   Just-in-time (JIT) access: Third party users are provided temporary, time-limited access only when needed rather than persistent access. This minimizes the potential for attackers to exploit vulnerabilities and gain unauthorized access. Privileged access management (PAM): Session recording and monitoring is implemented   for all third-party privileged access. According to Gartner, organizations that implement PAM can reduce the risk of privileged credential abuse by 75%. (6) Micro-segmentation: Third-party access is limited to only specific network segments or applications required for their function. By isolating critical systems and sensitive data, detecting and responding to threats becomes easier. Device posture assessment: The security posture of third-party devices is monitored before granting access. Third-party devices must meet minimum security requirements (patches, endpoint protection, etc.) Leveraging Artificial Intelligence (AI) and Machine Learning (ML) in a Zero Trust Strategy  Organizations using AI-powered security tools have an 85% success rate at predicting cyberattacks. (7)  Examples of AI and ML applications used in a Zero Trust strategy include the following:  Anomaly detection: AI and ML algorithms can be trained to detect unusual patterns or behaviors within the organization’s network. Deviations from normal activity may indicate potential security threats, for example spikes in access requests from unfamiliar locations may trigger alerts for further investigation. (8) Behavioral analysis: ML models can analyze user behavior and establish a baseline of normal activities for each user. Any deviations from these patterns can raise flags for potential insider threats or compromised accounts. (8) Threat intelligence integration: By analyzing threat intelligence feeds alongside internal network data, organizations can make more informed decisions regarding access control and threat mitigation strategies. ML algorithms can prioritize and contextualize threat intelligence data, helping security teams focus on the most critical risks. (8) Adaptive access controls: ML-driven access control mechanisms can dynamically adjust permissions based on real-time risk assessments. By continuously evaluating factors such as user behavior, device health, and network conditions, these systems can grant or revoke access privileges dynamically. (8) Case Studies   Case Study 1:  Implementing Complementary User Entity Controls in a Retail Environment  A leading retail company implemented Complementary User Entity Controls to enhance its third-party risk management. This involved establishing strict access controls and clear usage policies for third-party vendors accessing its systems. By doing so, the company improved its ability to detect and respond to unauthorized access attempts, significantly reducing the risk of data breaches. The implementation of these controls also led to better accountability and adherence to security protocols among third-party vendors.    Case Study 2:  Adopting Zero Trust Controls in a Technology Firm  A technology firm adopted a Zero Trust strategy to manage third-party access to its network and critical systems. The approach required verification of every access request, regardless of the source, and continuous monitoring of user activities. By using multi-factor authentication and least-privilege access principles, the firm ensured that only authorized users could access sensitive data. This strategy not only prevented unauthorized access but also provided granular visibility into third-party activities, enabling proactive threat detection and response.  Conclusion  While third-party assessments remain a cornerstone of TPRM, it is essential to recognize and implement broader access controls that contribute to a more comprehensive risk management strategy. By validating both the design and operating effectiveness of critical access management CUECs and implementing Zero Trust access controls, organizations can enhance their resilience and better protect themselves against the myriad risks associated with third-party relationships. AI and ML applications can also play a crucial role to ensure access controls remain robust and responsive to evolving threats. TPRM is not just about the third party; it is about creating a holistic approach to risk management that safeguards the organization from within and beyond.    References:   Black Kite, “Third-Party Breach Report” Vol.5, 2024. [Online]. Available: https://blackkite.com/wp-content/uploads/2024/03/third-party-breach-report-2024.pdf .   Imprivata, “Imprivata Study Finds Nearly Half of Organizations Suffered a Third-Party Security Incident in Past Year,” February 13, 2025. [Online]. Available: https://www.imprivata.com/company/press/imprivata-study-finds-nearly-half-organizations-suffered-third-party-security .    Security Magazine, “82% of companies give third parties access to all cloud data,” January 26, 2021. [Online]. Available:  https://www.securitymagazine.com/articles/94435-of-companies-give-third-parties-access-to-all-cloud-data .    Cipher, Alex, “Zero Trust: Redefining Cybersecurity,” 2024  Cybercrime Magazine , “Mult-Factor Authentication is (Not) 99 Percent Effective,” February 23, 2023.   [Online] . Available:   https://cybersecurityventures.com/multi-factor-authentication-is-not-99-percent-effective/ .  CTO (Core Team One),   “Did you know? 74% of data breaches start with the abuse of privileged credentials,”  Wednesday, 12 June 2024. [Online]. Available:   https://www.bing.com/search?pglt=297&q=74%25+of+data+breaches+start+with+the+abuse+of+privileged+credentials&cvid=5411e708f64447b8b8e91782242cba48&gs_lcrp=EgRlZGdlKgYIABBFGDkyBggAEEUYOTIGCAEQRRg80gEKMTYxMzY2ajBqMagCALACAA&FORM=ANNTA1&adppc=EDGEBRV&PC=EDGEBRV .   Furness, Dylan, Emerj, November 9, 2024. [Online]. Available:  https://emerj.com/an-ai-cybersecurity-system-may-detect-attacks-with-85-percent-accuracy/#:~:text=An%20AI%20Cybersecurity%20System%20May,Accuracy%20%7C%20Emerj%20Artificial%20Intelligence%20Research .   Goraga , Zemelak, Dr., “AI and ML Applications for Decision-Making in Zero Trust Cyber Security,” Volume 1, SkyLimit Publishing, 2024, p. 2-3

This blog was inspired by the meeting facilitated by Julie Gaiaschi, CEO & Co-Founder of TPRA, at TPRA’s March 2025 Practitioner Member Roundtable. (To watch the full presentation, TPRA Members can visit our On-Demand Webinars page   and navigate to the March 2025 meeting recording.)     Now-a-days, artificial intelligence (AI) seems to be involved in nearly every type of business activity. It is reshaping business operations by offering increased efficiency, automation, and data-driven insights. Within third party networks, AI driven technologies are influencing how third party risk management (TPRM) practitioners identify and assess risks. This is due to third parties using these AI technologies in critical areas like supply chain management, financial transactions, and cybersecurity. From this increased use of AI, the risks associated with AI are also growing. However, it is important to know that not all AI is the same.  In addition, not everything labeled as AI truly fits the definition.  The first step in managing AI risks is to have an understanding of what AI is, and what it is not. According to NIST’s AI Risk Management Framework (RMF) , AI is “an engineered or machine-based system that can, for a given set of objectives, generate outputs such as predictions, recommendations, or decisions influencing real or virtual environments. AI systems are designed to operate with varying levels of autonomy.” A custom model is typically not considered AI if it is rule-based or uses simpler statistical methods because the custom model lacks learning or adaptive capabilities.  In this blog we will explore:  Types of AI & Use Cases    Risks Related to AI    Risks Related to AI Metrics    What Should Occur Before Assessing AI Risk   Assessing AI in Third Party Networks  Types of AI & Use Cases    AI systems can be classified based on their functionality, level of intelligence, and application. The list below is not all encompassing, but breaks down some common types of AI.  Expert Systems Mimic human expertise in specific domains by following a set of programmed rules. Examples include diagnostic tools in medicine and legal analysis systems. Natural Language Processing (NLP) AI that processes and understands human language, such as chatbots, translation tools, and virtual assistants (i.e., Chat-GPT).  Computer Vision Enables machines to interpret and make decisions based on visual data, used in facial recognition, autonomous driving, and object detection (i.e., FaceID).  Robotics AI integrated with robotics to perform tasks in industries like manufacturing, healthcare, and service sectors. Recommendation Systems Common in e-commerce and entertainment (like Netflix and Amazon), these AI systems analyze user behavior to suggest products or content.   Generative AI Creates new content or data (like text, images, or music) based on learned patterns (i.e., DeepFake & DALL-E models). Cognitive Computing Mimics human thought processes, often used in fields requiring decision-making under uncertain conditions (i.e., IBM’s Watson).   Predictive Analytics Uses historical data to make predictions about future events, used widely in finance, marketing, and supply chain management.  Risks Related to AI    Compared to other risks that TPRM practitioners assess, AI technologies have the capability to impact more than just your company. AI technologies pose risks that can negatively impact individuals, groups, organizations, communities, society, the environment, and the planet. Below are some risks that are related to AI, but this is not an exhaustive list. Due to AI technology being so new, risks are still being identified as threat actors use AI for their own personal gain.   AI systems can be trained on data that changes over time, sometimes significantly and unexpectedly, affecting system functionality and trustworthiness.   AI systems and the contexts in which they are deployed are frequently complex, making it difficult to detect and respond to failures when they occur.   AI systems are inherently socio-technical in nature, meaning they are influenced by societal dynamics and human behavior.   Without proper controls, AI systems can amplify, perpetuate, or exacerbate inequitable or undesirable outcomes for individuals and communities.   AI risks or failures that are not well-defined or adequately understood are difficult to measure quantitatively or qualitatively. This means that if you aren't aware of how the AI operates or is being trained, then you may not see a failure or a risk.  Risks Related to AI Metrics    When it comes to AI and understanding how it works, transparency is a key theme. Part of being transparent is thoroughly understanding the metrics that you're using to evaluate AI. There are risks tied to those metrics, and it’s important to recognize how they impact AI performance and decision-making. Some risks related to AI metrics are:  Risk metrics or methodologies used by the organization developing the AI system may not align with the risk metrics or methodologies used by the organization deploying or operating the system. In addition, the organization developing the AI system may not be transparent about the risk metrics or methodologies it used.   Another AI risk metric challenge is the current lack of industry consensus on robust and verifiable measurement methods for risk and trustworthiness, as well as its applicability to different AI use cases.   Approaches for measuring AI decision impacts on a population work if they recognize that contexts matter, that harms may affect varied groups or sub-groups differently, and that communities or other sub-groups who may be harmed are not always direct users of a system.   Measuring risk at an earlier stage in the AI lifecycle may yield different results than measuring risk at a later stage.   While measuring AI risks in a laboratory or a controlled environment may yield important insights pre-deployment, these measurements may differ from risks that emerge in operational, real-world settings.  What Should Occur Before Assessing AI Risk in Third Party Networks?   Before assessing AI risks in third party networks, it is critical to lay the groundwork within your own organization. Establishing clear guidelines and considerations beforehand helps ensure a more effective risk assessment process.   The following steps should be considered:   Create an Acceptable Use Policy  to define how AI will be leveraged within the organization, as well as how data will be leveraged within third party AI systems.   Train Employees  on what AI is and the acceptable use of AI.   Leverage an AI Framework  to inform contracts & assessments (i.e., NIST AI Risk Management Framework is a great example).   Contract for AI  - Specify data usage allowed, AI type allowed, ethical considerations, decision-making responsibilities, and data ownership in contracts.   Think through an Exit Strategy  for Critical & High risk third parties (consider data retrieval and deletion activities when terminating, model and algorithm ownership, intellectual property rights, data privacy, knowledge transfer, and continuity of operations).  Assessing AI in Third Party Networks   Now that you’ve established AI policies within your own organization, you are ready to assess AI within third party networks. As we assess third-party networks, it's important to recognize that nearly every company today is leveraging AI, whether directly or through their partners. Assessing AI involves similar principles to other information security evaluations, but with distinct challenges. Unique concerns, such as data quality, model interpretability, and the potential for bias, add complexity to AI assessments. Consequently, it’s essential for organizations to prioritize responsible AI development. Developing AI responsibly requires a comprehensive approach that balances innovation with ethical considerations, social impact, and sustainability.    When assessing AI in third party networks, it is important to review the risks related to:  The AI’s Capabilities & Models  to determine how effectively and ethically AI systems operate.  Data Quality & Protection  to safeguard against ethical, legal, and operational risks, foster trust, and ensure that AI systems operate accurately and securely.  Security & Access Controls  to ensure the protection of sensitive data, maintaining model integrity, and ensuring compliance with regulatory standards.  Performance & Reliability to ensure the AI system is operating as intended, adapt to real-world conditions, and deliver dependable outcomes.  Governance & Oversight to ensure the AI system is used responsibly, safely, and effectively.  For third party networks, strong governance and oversight help ensure that external partners adhere to the same high standards, preserving the integrity of the organization’s AI ecosystem and protect against external threats.  Conclusion   AI is becoming an integral part of third party networks, and it might be safest to assume that your third parties are using AI in some capacity. This means it is crucial to understand how they are using AI, as well as the potential risks that come from AI and the metrics used to evaluate it. By understanding AI and the risks it poses in third party networks, you can make more informed decisions and strengthen your risk management strategies.

TPRM Summit Strategies TPRM Summit Strategies TPRM Summit Strategies TPRM Summit Strategies Monday, April 20, 2026 3:00 PM - 5:00 PM Check-In Early Check-In Check-in early for this event to jumpstart your expedition into the TPRM wilds! Ease into the conference experience by taking advantage of early check-in on Monday afternoon. Pick up your badge, conference materials, and get oriented before the… Show More View Session Monday, April 20, 2026 6:00 PM - 8:00 PM Network Event Trailblazer Meet & Mingle Join us for a welcome network event on the first night of the conference! Join us for an evening of connection and conversation at our Welcome Networking Event. Gather with fellow attendees, speakers, and sponsors to exchange ideas, share… Show More View Session Tuesday, April 21, 2026 7:30 AM - 9:00 AM Meal Breakfast & Check-In Fuel up for the summit! Tuesday morning check-in continues for those arriving day-of. Enjoy a hot breakfast while networking with peers and getting ready to… Show More View Session

< Back Previous Next Breakfast & Check-In 7:30 AM - 9:00 AM Fuel up for the summit! Tuesday morning check-in continues for those arriving day-of. Enjoy a hot breakfast while networking with peers and getting ready to tackle a full day of insights and inspiration. With your gear in hand and the terrain ahead, this is the moment to ground yourself before the first keynote and start charting your personal TPRM course.

< Back Previous Next Trailblazer Meet & Mingle 6:00 PM - 8:00 PM Join us for an evening of connection and conversation at our Welcome Networking Event. Gather with fellow attendees, speakers, and sponsors to exchange ideas, share expectations, and forge new relationships over refreshments. As we prepare to explore the peaks and pitfalls of the third-party risk landscape, this relaxed evening offers the perfect basecamp to meet your fellow climbers.