Client Portal
| Become a Client
Home All Blogs How Banking CISOs are Getting Ahead of Third-Party Risk in 2026

How Banking CISOs are Getting Ahead of Third-Party Risk in 2026

June 24, 2026
Banking CISOs face growing regulatory pressure on third-party risk. Here are the TPRM moves to make now—continuous assessment, AI vendor due diligence, and defensible risk ratings—before examiners ask.
IANS

Earlier this year, IANS analyzed nearly 290 interactions between banking security leaders and IANS Faculty. Third-party risk management (TPRM) landed in the top three topics. Why? Merger activity is forcing teams to reconcile incompatible risk rating methodologies. AI vendors are introducing opaque dependencies that traditional assessments weren’t designed to catch. Regulators are raising the bar on what “adequate” third-party oversight.

As a result, security leaders face escalating expectations and outdated processes—and most teams are absorbing the impact without additional headcount. 

The good news: this isn’t a tooling problem. It’s a maturity problem, which means progress is possible without platform replacement or a budget cycle.

Why has third-party risk management outgrown old models?

 

Annual questionnaires worked for static vendor relationships and modest regulatory expectations. But now:

  • Regulators expect continuous oversight, not periodic reviews. The FFIEC CAT sunset and migration to the CRI Profile have raised the bar. Examiners now ask whether institutions are actively monitoring third-party risk, not just completing assessments on schedule.
  • AI vendors introduce risk traditional questionnaires can’t see. When a SaaS product has an embedded third-party AI model, a standard SOC 2 review won’t surface it. Neither will a yes/no checklist.
  • Mergers force methodology reconciliation under pressure. Different risk rating scales, assessment cadences, and escalation criteria must be aligned before examiners notice the inconsistency.

 

What do other banking CISOs ask about TPRM?

 

The questions IANS Faculty members hear most often from banking security leaders reflect pressures such as regulatory scrutiny, AI vendor risk, and merger complexity:

  • "How do we align risk rating methodologies across departments during an organizational merger?"
  • "How do we manage software supply chain risks within our TPRM program?"
  • "How do we structure GRC and IAM teams to support a growing SOX program?"

Each challenge reflects the same underlying tension: TPRM processes that were built for a simpler environment. Now, frameworks need to carry more weight.

 

Three ways to modernize TPRM

 

1. Shift from compliance events to continuous assessment

Annual questionnaires and periodic SOC 2 reviews create a false sense of coverage. The question isn’t whether a vendor passed their last assessment. Instead, what’s happening with them right now?

  • Adopt intelligence-led vendor monitoring. Tools like BitSight and SecurityScorecard provide external telemetry on vendor security posture, independent of what vendors self-report.
  • Tier your review cadences. High-risk vendors get reviewed more frequently; lower-risk vendors less so. Match assessment efforts to actual exposure.
  • Quantify vendor concentration risk. Using HHI (Herfindahl-Hirschman Index) to measure dependency concentration gives procurement and leadership a visible, defensible metric. 

2. Build defensible ratings when vendor data is incomplete

Incomplete vendor data is one of the most common friction points in TPRM. It’s also often mishandled. When a vendor doesn’t respond to a questionnaire or provides incomplete documentation, many teams effectively park the assessment and move on. That’s not the correct move, and examiners are starting to notice.

  • Treat missing data as a risk signal. Default to elevated inherent risk when vendor information is incomplete. Document that rationale explicitly for auditors.
  • Push residual risk ownership to the business. The unit that chose the vendor should own the residual risk, not the security team that flagged the gap. When security holds all the accountability, the program becomes a bottleneck rather than an enabler.
  • Translate ratings into business language. Frame risk in terms of financial and operational impact, such as the cost of a vendor's disruption, not just its CVSS score. That’s what moves these conversations out of the security team and into leadership.

3. Layer AI-specific controls onto existing TPRM workflows

The instinct to build a separate AI governance program is understandable but often counterproductive. A parallel structure requires parallel resourcing, parallel maintenance, and parallel examiner justification. The better approach is to layer AI-specific controls onto the TPRM workflows that already exist.

  • Update our questionnaires explicitly for AI. Conventional checklists miss opaque model dependencies, undisclosed AI embedded in SaaS products, non-standard data retention tied to model training, and non-human identities (NHIs) with access that wasn’t scoped for an AI agent.
  • Request an AI Bill of Materials (AIBOM). This is an emerging best practice that surfaces what’s running inside a vendor product and what your data may be touching.
  • Use scenario-based questions over yes/no checklists. “What happens to our data if your model is retrained?” surfaces risk that checkbox audits can’t.
  • Consider AI governance overlays. Tools like Credo AI and Cranium AI can layer onto existing TPRM foundations without full platform replacement.

Vendor management moves that can wait

 

Not everything needs to move at once. Common actions are worth deferring:

  • Separate AI governance programs. Layering onto existing TPRM is more sustainable and more defensible.
  • Full platform replacement. Get the process and tiering methodology right before buying new tooling. The tool won’t fix a broken methodology.
  • Enterprise-wide risk standardization initiatives. These are valuable roadmap items for six to 18 months out, not the next quarter.

Get your TPRM program ready now

 

The teams making real progress with TPRM in 2026 aren’t the ones with the most sophisticated platform or the most elaborate governance structure. The teams that are succeeding embedded better processes into existing workflows, pushed risk ownership to the business, and built programs that their company leadership can understand and defend.

As regulatory expectations around TPRM increasingly tighten, security teams that act now on continuous monitoring, defensible ratings, and AI-specific controls will be better positioned when the next exam cycle arrives. 

See what your banking peers are working on and get the guidance they’re using. Explore IANS Banking Security Resources. 

Subscribe to IANS Blog

Receive a wealth of trending cyber tips and how-tos delivered directly weekly to your inbox.

Please provide a business email.