Politics

Third-party AI governance remains a blind spot amid rapid enterprise adoption

Friday, 5 December 2025 7:31PM UTC

A new global study reveals widespread AI integration in enterprises, yet many organisations lack visibility and consistent governance for third-party AI, exposing critical vulnerabilities amid evolving regulations.

Ask any board whether artificial intelligence is on the agenda and the answer is invariably yes; ask how confident they are about their vendors’ use of AI and the picture is far less clear. According to the original report and accompanying analysis, HTF Research’s global study , sponsored by Mitratech , finds AI spreading rapidly through enterprises while visibility into third‑party AI remains a persistent blind spot. ^[1]^[2]

The study shows governance maturity varying widely by sector and size. Industry data indicates highly regulated sectors such as banking, asset management and insurance report stronger frameworks, while many corporates, brokerages and energy firms lag behind. Frameworks including the EU AI Act, NIST AI RMF and emerging standards such as ISO 42001 are becoming common alignment points, but adoption is uneven. ^[1]^[4]^[7]

A central finding is the limited inclusion of vendor AI in organisational AI inventories. Many firms , particularly in the UK , exclude third‑party AI from their registers, leaving risk and compliance teams unable to monitor or verify vendor use. This phenomenon echoes the MIT Sloan analysis of “shadow AI” and is amplified by fast software release cycles that frustrate inventory management. ^[1]^[2]^[4]

Governance and third‑party risk management (TPRM) frequently operate in parallel rather than as integrated functions. The research finds some banking and asset management firms have begun integrating AI oversight into TPRM, but most organisations still treat AI risk as siloed from routine third‑party reviews. Industry reporting shows only a small number of vendors have been terminated for AI‑related concerns, underscoring weak contractual and evidential levers. ^[1]^[3]^[6]

Confidence levels are low: most organisations rate their readiness to manage third‑party AI risk around 2–3 out of 5. Many compliance teams assess fewer than 100 vendors for AI risk and do not require vendor disclosure of AI governance policies. Mitratech’s broader TPRM research also highlights chronic resource constraints, with many teams understaffed and covering only a fraction of their vendor base. ^[1]^[3]

Boards are increasingly engaged and budgets are shifting accordingly. The study reports that a majority of boards have requested AI‑risk updates in the last year, and many organisations plan to raise AI governance spend in the next 12–18 months. Gartner and KPMG findings reinforce this trend, noting accelerating demand for TPRM technology and continuous monitoring as organisations face a “perfect storm” of regulatory and operational pressures. ^[1]^[5]^[6]

Regulatory readiness is a pressing concern. Not a single respondent rated themselves as “very prepared” for emerging AI rules, and outside finance most firms do not require vendors to meet the same internal AI governance standards. Cross‑regional research shows regulatory approaches differ , the EU emphasises structured transparency, the US relies on sectoral regimes, the UK pursues flexible sectoral guidance and China favours centralised directives , complicating a simple, global compliance strategy. ^[1]^[7]

There is clear appetite for unified solutions that bind AI governance and TPRM. North America and APAC show particular interest in platforms that centralise inventories, automate monitoring and standardise evidence collection, but current adoption of automated model monitoring remains low. KPMG and Mitratech both highlight the shift from periodic reviews to continuous, intelligent oversight as necessary to manage scale and detect drift, bias or control failures in real time. ^[2]^[5]

For risk and compliance leaders the report recommends four priorities: drive visibility across internal and vendor ecosystems; embed AI governance into TPRM workflows with shared controls and standard evidence; move from point‑in‑time assessments to continuous monitoring and performance tracking; and align controls to major regimes such as the EU AI Act to achieve broad regulatory coverage. Acting on these areas will convert an invisible exposure into a governed asset. ^[1]^[2]^[5]

If firms do not broaden governance beyond their firewall, compliance will increasingly be constrained by the weakest supplier. The convergence of board oversight, investment momentum and technological capability offers a narrow window: organisations that integrate governance, improve vendor transparency and deploy continuous monitoring will be best placed to manage the next wave of AI‑driven change. ^[1]^[6]^[3]

📌 Reference Map:

##Reference Map:

^[1] (JD Supra / HTF Research) - Paragraph 1, Paragraph 2, Paragraph 3, Paragraph 4, Paragraph 5, Paragraph 6, Paragraph 7, Paragraph 8, Paragraph 9, Paragraph 10
^[2] (Mitratech blog) - Paragraph 1, Paragraph 3, Paragraph 8, Paragraph 9
^[3] (GlobeNewswire / Mitratech TPRM Study) - Paragraph 5, Paragraph 6, Paragraph 10
^[4] (MIT Sloan Management Review) - Paragraph 2, Paragraph 3
^[5] (KPMG report) - Paragraph 6, Paragraph 8, Paragraph 9
^[6] (Gartner press release) - Paragraph 6, Paragraph 10
^[7] (arXiv cross‑regional study) - Paragraph 2, Paragraph 7

Source: Noah Wire Services

More on this

https://www.jdsupra.com/legalnews/third-party-ai-the-blind-spot-in-2604505/ - Please view link - unable to able to access data
https://mitratech.com/resource-hub/blog/third%E2%80%91party-risk-ai-governance-report/ - Mitratech's blog post discusses a global study on AI governance and third-party risk management, highlighting that while AI adoption is widespread, many organizations lack visibility into third-party AI usage. The study reveals that many firms, especially in the UK, do not include vendor AI in their inventories, leading to potential risks that are difficult to monitor and verify. This underscores the need for enhanced governance frameworks to manage third-party AI risks effectively.
https://www.globenewswire.com/news-release/2025/06/25/3105245/0/en/New-Mitratech-Study-Finds-Third-Party-Risk-Management-Ecosystems-Under-Strain-Amid-Regulatory-Technological-and-Resource-Pressures.html - Mitratech's 2025 Third-Party Risk Management (TPRM) Study reveals that nearly 70% of TPRM teams are understaffed, managing just 40% of their vendor base on average. The study also highlights a significant increase in compliance team involvement, from 42% in 2023 to 88% in 2025, driven by growing scrutiny in data privacy and operational resilience. Additionally, 65% of respondents are exploring AI use cases, with 14% already using AI in their TPRM programs, up from 5% last year.
https://www.mitsloan.mit.edu/ideas-made-to-matter/third-party-ai-tools-pose-increasing-risks-organizations - An MIT Sloan Management Review article highlights the risks associated with third-party AI tools, noting that 78% of organizations use such tools, with over half using them exclusively. The article points out that more than half of AI failures stem from third-party tools, a phenomenon known as 'shadow AI.' It emphasizes the importance of developing a responsible AI framework to mitigate financial, reputational, and legal risks.
https://assets.kpmg.com/content/dam/kpmgsites/in/pdf/2025/11/bridging-gaps-and-building-guardrails-with-ai-in-third-party-risk-management.pdf - KPMG's report discusses how AI is revolutionizing third-party risk management by elevating oversight from periodic reviews to continuous, intelligent risk governance. It highlights the challenges organizations face in integrating AI into their risk management processes and the importance of building guardrails to ensure responsible AI usage. The report underscores the need for organizations to adapt to complex supply chains and increasing regulatory scrutiny.
https://www.gartner.com/en/newsroom/press-releases/2025-05-6-02-gartner-says-perfect-storm-of-third-party-risksare-driving-growth-and-maturrity-in-third-party-risk-management-technology-solutions - Gartner's press release discusses how factors like trade volatility, cyberattacks, new regulatory requirements, and supply chain disruptions are accelerating the adoption of third-party risk management (TPRM) technology solutions. It notes that many organizations, especially multinationals, are experiencing an exponential increase in the number of third parties they rely on, creating a 'perfect storm' that heightens third-party risk. The release emphasizes the importance of deploying TPRM technology to better mitigate inherent risks.
https://arxiv.org/abs/2503.05773 - A study titled 'Between Innovation and Oversight: A Cross-Regional Study of AI Risk Management Frameworks in the EU, U.S., UK, and China' compares AI risk management strategies across these regions. It finds that the EU implements a structured, risk-based framework prioritizing transparency, while the U.S. uses decentralized, sector-specific regulations promoting innovation but leading to fragmented enforcement. The UK adopts a flexible, sector-specific strategy, and China employs centralized directives for rapid implementation, though with constrained transparency.

Noah Fact Check Pro

The draft above was created using the information available at the time the story first emerged. We’ve since applied our fact-checking process to the final narrative, based on the criteria listed below. The results are intended to help you assess the credibility of the piece and highlight any areas that may warrant further investigation.

Freshness check

Score: 8

Notes: The narrative references a global study by HTF Research, sponsored by Mitratech, indicating recent findings. The earliest known publication date of the study is June 25, 2025, as reported by GlobeNewswire. The JD Supra article was published on December 5, 2025, suggesting the content is fresh. However, the presence of multiple references to the same study across different platforms may indicate recycled content. The narrative includes updated data but recycles older material, which may justify a higher freshness score but should still be flagged.

Quotes check

Score: 9

Notes: The narrative includes direct quotes from the Mitratech study and other reputable sources. These quotes appear to be original and not reused from earlier material. No identical quotes were found in earlier publications, suggesting originality.

Source reliability

Score: 7

Notes: The narrative originates from JD Supra, a platform that republishes content from various sources, including Mitratech. While JD Supra is a known platform, its content is user-generated and may not always undergo rigorous editorial review. The Mitratech study is a primary source, and its findings are credible. However, the JD Supra article's reliability is moderate due to its nature as a republishing platform.

Plausability check

Score: 8

Notes: The claims made in the narrative align with findings from reputable sources, such as the Mitratech study and KPMG's report on AI in third-party risk management. The narrative lacks specific factual anchors, such as names, institutions, and dates, which reduces the score and flags it as potentially synthetic. The tone and language used are consistent with professional industry reports, suggesting plausibility.

Overall assessment

Verdict (FAIL, OPEN, PASS): OPEN

Confidence (LOW, MEDIUM, HIGH): MEDIUM

Summary: The narrative presents findings from a recent Mitratech study, indicating a fresh perspective on third-party AI governance. However, the presence of recycled content and the moderate reliability of the JD Supra platform raise concerns. The lack of specific factual anchors and the potential for synthetic content further complicate the assessment. Given these factors, the overall assessment is OPEN with medium confidence.

Artificial intelligence
Third-party risk management
Regulatory compliance