Why Third-Party Risk Management Programs Don’t Actually Reduce Risk

InnovationWhy Third-Party Risk Management Programs Don’t Actually Reduce RiskByEddie Dovzhik,Forbes Councils Member.for Forbes Technology CouncilCOUNCIL POSTExpertise from Forbes Councils members, operated under license. Opinions expressed are those of the author. | Membership (fee-based)Jun 05, 2026, 08:45am EDTEddie Dovzhik, Co-Founder and CEO of Lema AI. Former elite intelligence. Helping enterprises reduce third-party risk exposure. getty​Enterprises have spent years building third-party risk programs around evidence collection, complete with security questionnaires, audit reports and penetration tests. Yet, when a vendor gets breached, security teams still struggle to answer the question that matters: What exposure did that vendor actually create inside the environment?The gap between compliance activity and measurable risk reduction is getting harder to ignore.Verizon’s 2025 Data Breach Investigations Report found that breaches involving third parties doubled in a single year, rising from 15% to 30%. McKinsey separately noted that nearly one-third of cyber breaches are now associated with technology supply chains and third-party dependencies.During the same period, organizations expanded third-party risk management (TPRM) teams, increased assessment volume and added more vendors into formal review processes. The amount of oversight grew, but so did the number of compromises coming through vendors.TPRM Was Built For Compliance, Not Exposure ManagementMost TPRM programs were not designed for the environment in which they now operate. They were built inside procurement and GRC functions to support due diligence, regulatory obligations and audit defensibility.That is no longer enough.Vendors now sit inside identity infrastructure, customer data flows, production environments, support systems and CI/CD pipelines. Many have privileged access into environments security teams monitor more lightly than their own endpoints.This now makes vendors a predominant part of th...