How AI is rapidly changing the status quo in TPRM

The integration of AI into third-party service delivery is prompting organizations to fundamentally rethink their TPRM practices.

Many third-party vendors, such as providers of off-the-shelf software, have begun to embed AI into their products, often without full visibility or the understanding of their customers. Service providers may also leverage AI to enhance their service delivery, again without clients’ explicit awareness. Gaining visibility into when and how these third parties are using AI is a growing challenge for enterprises.

To address this, some organizations use tools that analyze DNS traffic and web data to flag potential GenAI use — for example, by identifying vendors linked to “.ai” domains or known AI providers. However, many enterprises rely on manual outreach, which can create friction and delays in the onboarding process for new vendors.

These vendors’ use of AI models may impact core service delivery, decision-making, and even data governance. Yet existing oversight mechanisms, such as SOC 2 (System and Organization Controls) reports or generalized risk questionnaires, often lack the specificity needed for the organization to assess how the vendor is using AI, what data it relies on and whether adequate controls exist.

To keep pace, businesses should rethink how they identify, evaluate and monitor third-party AI use. This includes incorporating AI-specific controls into risk models and enhancing due diligence processes. It can also require revisiting contractual obligations to confirm that vendors disclose AI deployments, that they are providing adequate governance and that their AI use is aligned with the enterprise’s risk profile.

Opportunities for TPRM to create value with responsible AI

By proactively managing AI-related risks across their third-party landscape, enterprises can streamline risk assessment, reduce time-to-contract, and onboard vendors faster without compromising governance.

Another way to help unlock value is to standardize the organization on preferred, pre-vetted providers whose AI practices align with the organization’s Responsible AI standards. While total standardization may not be realistic, identifying and prevetting the likely small group of vendors that represent the majority of the third-party usage within the organization can be a good investment. It can allow companies to reduce the burden of assessing multiple AI solutions and focus on integrating with strategic vendors. It can also support economies of scale in training and tooling — for example, by aligning TPRM platforms with source-to-pay (S2P), contract life cycle management or vendor intelligence systems.

With strong AI governance in place, TPRM teams can move faster and with more confidence.

When TPRM shifts from being a reactive gatekeeper to a proactive enabler, organizations are likely to be better able to adopt AI-driven solutions responsibly and at scale.

Key actions to prioritize

Here’s how you can get started to help effectively manage the evolving risks and opportunities of third-party AI use:

• Revisit vendor contracts to encourage Responsible AI use. Update agreements to require disclosure when vendors use AI in service delivery. Include provisions for notification and risk transparency. When it’s appropriate, create incentives for vendors to innovate responsibly with AI.

• Scrutinize data usage policies. Confirm whether third parties are using your organization’s data to train AI models. Require clear documentation of data-handling practices, consent mechanisms and any limitations placed on data reuse.

• Perform AI-specific due diligence and ongoing monitoring. Push vendors to provide greater transparency and evidence of holistic controls on model development, data privacy, bias mitigation and auditability. To support these efforts, consider adding AI-focused addenda to SOC 2 reports, independent attestations, or other governance tools.

• Enhance third-party risk-tiering frameworks. Modify risk scoring to account for AI use cases. Prioritize due diligence based on the type of AI deployed, the sensitivity of the data being used and the potential business impact of AI failures, outages or misuse.

• Increase AI-focused inquiries during assessments. Ask targeted questions about AI model design, data sources used in training, risk controls, explainability and monitoring processes.

• Track and respond to evolving regulations. Stay ahead of emerging AI governance mandates, such as the EU AI Act, and confirm that your third parties’ practices align with the relevant regional and sector-specific requirements.

How we can help

As the adoption of AI accelerates, organizations face mounting pressure to make sure that their third-party ecosystems are not only secure but also aligned with evolving standards. PwC helps organizations turn TPRM functions into proactive engines of trust and innovation by using advanced risk modeling, AI-specific controls and strategic vendor oversight. Get started today to responsibly and transparently leverage AI at scale.