Why Third Party Risk Is Now A Board-Level Problem
Why Third-Party Risk Is Now A Board-Level Problem
Forbes Councils Member.
Jag is the founder and CEO of Certa, one of the leading third-party management platform for enterprises.
In July 2024, a single vendor pushed a faulty software update. Within hours, Delta Air Lines lost control of its crew-tracking system. Over the next five days, over 5,000 flights were cancelled and the airline reported $500 million in damages. Not from a cyberattack or a competitor. From a vendor.
That was a wake-up call, but it was also a preview.
Third-party risk management (TPRM) has lived in the back office for decades. Compliance teams sent questionnaires. Vendors filled them out. Someone filed the results. Everyone moved on until the next audit.
That era is over. Three forces are pushing TPRM into the boardroom, and they're converging at the same time.
1. Regulation And Personal Liability
Regulation used to mean paperwork, but now it means personal liability.
Under both DORA and NIS2, senior management can be held personally liable for negligence in cybersecurity oversight. That single change should rewire how every executive thinks about third-party risk.
The exposure is compounding. Three major EU frameworks are now live or approaching enforcement: DORA governs operational resilience for financial institutions and their tech providers. NIS2 expands cybersecurity obligations across 18 sectors. The EU AI Act reaches full enforcement in August 2026 with penalties up to 7% of global annual turnover.
One supply chain failure can trigger reporting obligations across all three regimes at once. Different timelines. Different materiality thresholds. Different regulators. In the U.S., updated NYDFS requirements demand stronger vendor oversight and faster incident reporting. Germany's Supply Chain Due Diligence Act requires that companies vet suppliers on both labor and environmental standards or face legal penalties.
The regulatory surface area has exploded. Most organizations are behind. A recent survey of compliance professionals found 0% fully compliant across DORA, NIS2 and the EU AI Act.
2. Geopolitical Risk And Growth
According to a survey by the World Economic Forum, 83% of respondents identified geopolitical risk as the primary threat to growth, ahead of inflation.
Supply chain disruptions cost businesses an estimated $184 billion a year. McKinsey research shows a single major disruption can wipe out up to 42% of a company's annual EBITDA.
In May 2025, China announced new export controls on critical minerals. Within weeks, Ford shut down a plant because it couldn't source high-powered magnets. Production halted for three weeks.
Your vendors are exposed. Their vendors are exposed. And none of it waits for your annual review cycle. The old question was: "What's our geopolitical exposure?" The right question is: "How fast can we see it and respond?"
3. Vendors And Their AI Agents
Your vendors used to access your data. Now their AI agents make decisions with your credentials, inside your systems, at machine speed.
That's a different category of risk.
For years, third-party risk was about shared data. You gave a vendor access. You managed that access. The relationship was static. The boundaries were clear.
That model is breaking down.
Gartner projects that 40% of enterprise applications will embed AI agents by 2026, up from less than 5% in 2025. These agents don't just analyze data. They act. They can read production logs, open tickets, modify firewall rules, spin up cloud resources and make purchasing decisions.
This changes what "third-party risk" actually means. You're no longer assessing whether a vendor protects your data. You're assessing whether their autonomous systems, running on your credentials, will make decisions aligned with your interests. The risk has shifted from access to agency.
Nearly half of cybersecurity professionals now consider agentic AI the top attack vector. Shadow AI breaches cost $4.63 million per incident on average. And the identity frameworks built for human users were never designed for agents that chain tools together, escalate privileges and propagate actions across entire pipelines.
The old model assessed entity trust: Is this vendor secure? The new model must assess decision trust: Are the autonomous systems acting on this vendor's behalf governed, auditable and aligned with your risk tolerance?
Conclusion
Companies still treating TPRM as a compliance checkbox are running a risk their boards haven't priced in. The ones treating it as a strategic capability will likely be the ones still standing when the next major disruption event occurs.
(In the next article in this series, I will share the core elements of an AI-first TPRM.)
COUNCIL POST | Membership (fee-based)
Jag is the founder and CEO of Certa, one of the leading third-party management platform for enterprises. Read Jagmeet Lamba's full executive profile here.
Find Jagmeet Lamba on LinkedIn and X. Visit Jagmeet'swebsite.
