Third‑Party AI: The Blind Spot in Governance

That gap runs through HTF Research’s global study on AI Governance and Third‑Party Risk Management, sponsored by Mitratech. The study surveyed 46 leaders from institutions across banking, asset management, insurance, energy, corporate, and brokerage sectors. AI is spreading across the enterprise. Third‑party AI risk is not.

For GRC leaders, this is both a warning and an opening. The organizations that can turn third‑party AI from an invisible exposure into a governed asset will set the pace for their industries.

AI Is Scaling Fast, But Governance Maturity Varies Widely

While many organizations have implemented some form of AI governance framework, maturity differs significantly across industries, regions, and revenue sizes. Highly regulated environments — such as finance — tend to lead, while others are still laying the foundation for policies.

A few key trends stand out:

• Most large organizations (> $1B) report strong governance progress, while smaller firms under $500M lag behind.
• Corporate, brokerage, and energy organizations show greater inconsistency, with fewer established governance frameworks.
• Across all sectors, frameworks such as the EU AI Act, NIST AI RMF, and ISO 42001 are emerging as common points of alignment.

Ownership also varies:

• Corporate firms overwhelmingly assign responsibility to IT or IT security.
• Other industries split responsibility across risk, compliance, and IT, reflecting increasing cross-functional accountability.

The takeaway? AI governance is maturing, but unevenly.

The Blind Spot: Limited Visibility Into Third-Party AI

Most organizations maintain an inventory of internal AI use cases. But when asked whether those inventories include third-party AI solutions, responses varied dramatically.

Notably:

• Many firms — especially in the UK — do not include vendor AI in their inventory.
• Banking, asset management, and insurance show stronger performance, but even there, coverage is incomplete.
• Rapid software release cycles (e.g., “AI features released every two weeks”) make inventory management difficult.

For risk and compliance professionals, this has major implications. Vendors may be using AI in ways you can’t see, can’t verify, and can’t monitor, yet the risk ultimately flows back to you. This visibility gap is quickly becoming one of the most pressing governance challenges.

AI Governance and TPRM: Parallel Functions, Not Yet Integrated

Most organizations already manage a broad spectrum of third-party risks — from cybersecurity to operational and ESG risk. But when it comes to weaving AI-specific oversight into these workflows, integration remains limited.

The research finds:

• Some industries (e.g., banking/asset management) report partially or fully integrated governance and TPRM practices.
• Others remain siloed, with AI risk handled separately from third-party reviews.
• Only a small number of organizations have ever terminated a vendor due to AI-related concerns.

As AI becomes embedded into more vendor tools and functions, the separation between governance and TPRM becomes increasingly unsustainable.

Third-Party AI Risk Management Confidence Levels Are Concerningly Low

When asked to rate their confidence in managing AI-related risk from third parties, most organizations scored themselves 2 or 3 out of 5.

Additional gaps include:

• Most organizations assess fewer than 100 vendors for AI risk.
• Many do not require vendors to disclose their AI governance policies.
• Banks and asset managers lead in requiring disclosures, but even there, the majority do not enforce full alignment.

For risk and compliance officers, this is a red flag: organizations understand the risks, but lack the evidence and control mechanisms needed to mitigate them.

Boards are Paying Attention, and Increasing Investment Accordingly

Across regions and industries, the majority of respondents report that their boards or executive leadership have requested updates on AI risk and third-party practices within the past year.
Investment trends reflect this pressure:

• Most companies plan to increase AI governance spending over the next 12–18 months.
• Planned investment in TPRM is more varied, but interest is rising across many sectors.
• Leaders want more transparent reporting, improved model transparency, and better visibility into vendor AI.

This shift marks a governance inflection point: AI oversight is moving from operational function to board-level priority. Leadership wants answers, but many teams don’t have the structure or data to provide them. This is where governance, TPRM, and reporting need to line up.

Regulatory Readiness: A Growing Concern

Not a single company surveyed considers itself “very prepared” for upcoming AI regulations. Most sit at 2–3/5 readiness, despite several major regulatory regimes moving quickly toward implementation.

Even more telling: apart from banking, most organizations do not require vendors to comply with the same AI governance standards they apply internally. As global regulatory expectations converge, this gap will grow more costly.

Practical implication: The compliance wave is coming faster than readiness. And if you don’t expect vendors to meet the same bar, your real compliance posture is only as strong as your weakest supplier.

The Rise of Unified AI Governance & TPRM Solutions

North America and APAC show strong interest in unified platforms that manage AI governance and third-party risk in one place. Such platforms could help organizations centralize inventories, automate monitoring, streamline evidence collection, and standardize evaluation criteria.

Today, however, most companies lack automated AI-model monitoring — a key missing capability as AI systems scale in volume and complexity.

The pattern is clear: Lots of humans reviewing AI. Not many systems are set up to catch drift, bias, or control failures in real time. That gap will matter more as AI use scales.

Looking Ahead: What Risk and Compliance Leaders Should Prioritize Now

To evolve alongside the technology, organizations need to focus on four strategic priorities.

1. Drive visibility across your entire ecosystem.

Ensure all AI use — internal or third-party — is inventoried, documented, and monitored.

2. Embed AI governance into TPRM workflows.

Use shared controls, aligned frameworks, and standard evidence requirements.

3. Build repeatable, continuous oversight.

Move from point-in-time reviews to ongoing testing, monitoring, and model performance tracking.

4. Prepare for global regulatory alignment.

Anchor frameworks to the EU AI Act and map controls across other regulatory regimes to “comply once, satisfy many.”

AI risk is now a business risk, a compliance risk, and a third-party risk simultaneously. If your governance stops at your firewall, you’re only seeing half the problem. The next year should be about pulling AI into the core risk operating model—not adding another side program.

A Converging Future for AI Governance and Third-Party Risk

The research paints a clear picture: while organizations across industries are adopting AI at scale, governance practices— especially for third-party risk — are developing unevenly. But momentum is building. Boards are engaged, investments are rising, and risk functions are expanding their purview to include intelligent systems.

The organizations that act now — integrating governance, improving visibility, and standardizing oversight — will be the ones best positioned to manage the next wave of AI-driven transformation.

How Mitratech Helps

No matter where you are on your AI governance journey, Mitratech can help you bring true coordination and transparency to your program. Our unified platform connects disparate teams, ensures all key stakeholders stay aligned, and accelerates your time to value with adaptable templates and pre-configured frameworks like the EU AI Act and NIST AI RMF. As your program evolves, our flexible architecture keeps pace — delivering long-term efficiency and a low total cost of ownership.

Ready to move forward with AI governance you can trust? Contact Mitratech to learn more.