• Most firms remain in early stages of adopting AI for third-party risk management
• Senior leaders are optimistic about AI’s ability to automate risk detection and due diligence
• Inherent risk assessment and contract management offer biggest opportunities for AI transformation
• Financial exposure from third-party failures is rising, driving urgency
• Integration costs, legacy systems, and lack of in-house expertise are top barriers
• Organisations favour a hybrid approach of managed services and in-house capability
• Information security and data privacy are seen as the highest-priority risk domains for AI investment

Artificial intelligence may be the future of third-party risk management, but a new survey suggests the present looks more like a cautious pilot than a sweeping transformation.

As businesses scramble to manage sprawling webs of external partners in an increasingly volatile global environment, AI is being touted as the key to boosting agility, resilience, and cost-efficiency.

Yet most organizations are still grappling with how to deploy it meaningfully.

Drawing from the results of a new pulse survey on AI’s role in third-party risk management (TPRM), leading financial services consultancy Deloitte finds the gap between ambition and reality is vast.

While there’s broad consensus that AI – particularly generative AI – can radically improve inherent risk assessments, the survey found that due diligence, and contract oversight, adoption levels remain low.

Few respondents reported using AI to actively assess their third-party risk exposure today, even though financial stakes are growing.

Nearly half of those surveyed believe that a serious third-party incident could result in damages exceeding $50 million.

That growing exposure is helping drive enthusiasm for AI-driven solutions that promise smarter, faster decision-making. But turning that vision into reality is proving difficult.

Organizations are prioritizing AI investments that target repetitive, manual tasks such as data collection and contextualizing unstructured data from third parties.

In theory, automating these processes could free up senior risk professionals to focus on higher-value work. In practice, however, investment barriers are proving stubborn.

Concerns over financial outlay, the difficulty of integrating AI with legacy systems, and a widespread shortage of internal expertise continue to stall progress.

Despite this, leadership teams remain bullish on the longer-term potential.

The majority of firms surveyed expressed plans to implement AI-powered solutions across the TPRM lifecycle, particularly in areas such as dynamic risk assessment, collaborative monitoring platforms, and predictive analytics.

One area that stands out as ripe for disruption is contract management. Often overlooked in digital transformation strategies, contracts are now being seen as a treasure trove of untapped risk data.

Respondents pointed to automation opportunities in analyzing contracts for hidden risks, monitoring compliance, and predicting breach likelihoods.

The survey also reveals a shift in strategy: instead of choosing between outsourcing and in-house development, most organizations are pursuing a hybrid model.

This involves combining managed service solutions – especially for complex analytics or continuous monitoring – with ongoing investment in internal AI platforms.

The aim is to build institutional capabilities while still benefiting from external expertise.

Top priority domains for AI adoption include information security, data privacy, cybersecurity, and contract risk – reflecting both regulatory pressures and high-profile breaches that have shaken confidence in traditional TPRM controls.

Across the board, respondents see intelligent automation not just as a tactical upgrade, but as a strategic necessity for futureproofing their extended enterprise.

However, the survey is clear about the challenges ahead. With maturity levels still low, most firms are only just beginning to build the business case for AI in TPRM.

What emerges is a picture of a sector in transition – eager to adopt cutting-edge tools, but still encumbered by the weight of legacy systems, limited budgets, and the sheer complexity of their third-party ecosystems.