NASHVILLE, Tenn. — Financial institutions are increasingly worried about the risks posed by artificial intelligence used by outside vendors, but most lack confidence in their ability to manage those risks, according to a new survey from compliance software provider Ncontracts.
The company’s 2026 State of Third-Party Risk Management 2026 Survey Report found that, for the first time, financial institutions ranked AI risk alongside cybersecurity as their top third-party concern. Yet 72% of respondents said they are only partially aware of which vendors are using AI, and no organization surveyed reported being extremely confident in managing those risks, according to the report.
The survey drew responses from 173 financial services professionals between November 2025 and January 2026.
‘Teams Haven’t Kept Pace’
“TPRM programs are being asked to do more than ever — more vendors, more risk types, more complexity — with teams that haven’t kept pace,” Michael Berman, founder and CEO of Ncontracts, said in a statement. “AI is the clearest example of that pressure, and this survey shows the industry knows it.”
The findings highlight how rapidly expanding vendor ecosystems and emerging technologies are straining third-party risk management, commonly known as TPRM, across banks, credit unions and other financial institutions.
Key Findings
Key findings from the report include:
- AI risk rising but readiness lagging. About 73% of organizations with more than 5,000 employees fell into the lowest confidence tiers for managing vendor AI risks, suggesting larger institutions are not necessarily better prepared to oversee the technology.
- Lean staffing managing large vendor networks. Nearly 63% of TPRM programs operate with just one or two full-time employees, while 13% have no dedicated staff at all. At the same time, 53% of institutions oversee 300 or more vendors, meaning some risk managers are responsible for more than 100 vendor relationships.
- Technology gap affecting compliance outcomes. While 87% of institutions now use dedicated TPRM software, about 10% still rely primarily on spreadsheets, down from 13% in 2025. Institutions using manual processes were 71% more likely to receive exam findings and reported 50% lower satisfaction with their tools, according to the survey.
- Program maturity changes perception. Among organizations with no formal TPRM processes, 67% view third-party risk management largely as a compliance formality. That figure drops to 13% among the most mature programs, where 26% say TPRM delivers significant organizational value.
Grappling With Issues
The report suggests financial institutions are grappling with how to extend existing vendor oversight frameworks to account for AI-related risks, including transparency, model governance and data security.
Berman said organizations that invest in improved technology, processes and metrics to manage third-party risk will be better positioned as AI adoption accelerates across the financial sector.
