Ncontracts Releases 2026 State of Third-Party Risk Management Survey Report

Ncontracts, the leading provider of integrated compliance, risk, and vendor management solutions to the financial services industry, released the 2026 State of Third-Party Risk Management Survey — revealing that for the first time, financial institutions rank AI risk on par with cybersecurity as their top third-party concern, even as 72% admit they are only partially aware of which vendors use AI and not a single organization feels extremely confident managing it.

Read More on Fintech : Global Fintech Interview with Baran Ozkan, co-founder & CEO of Flagright

The survey, which drew responses from 173 financial services professionals between November 2025 and January 2026, reveals TPRM programs caught between expanding vendor portfolios, emerging AI risks that outpace current assessment capabilities, and teams that haven’t grown to match the load.

“TPRM programs are being asked to do more than ever — more vendors, more risk types, more complexity — with teams that haven’t kept pace,” said Michael Berman, founder and CEO of Ncontracts. “AI is the clearest example of that pressure, and this survey shows the industry knows it. The organizations that will pull ahead are those investing now in the technology, processes, and metrics that let their programs scale and demonstrate value.”

Key findings include:

AI Risk Has Arrived — But Institutions Aren’t Ready

The concern is clear — but the confidence to manage it isn’t. 73% of large organizations with 5,001 or more employees fall into the lowest confidence tiers, suggesting that size and sophistication offer little advantage when existing TPRM frameworks haven’t yet been extended to address the specific complexities of vendor AI.

TPRM Programs Run Lean While Managing Hundreds of Vendors

Nearly two-thirds (63%) of TPRM programs operate with just one or two dedicated full-time employees, and 13% have no dedicated staff at all. More than half (53%) manage 300 or more vendors, creating ratios where individual professionals are responsible for 100 or more vendor relationships.

Technology Creates a Compliance Divide

Just 10% of institutions still rely on spreadsheets — down from 13% in 2025 — as nearly 87% now use TPRM software. The gap matters: manual process users are 71% more likely to receive exam findings and report 50% lower satisfaction with their tools.

Mature Programs See TPRM Differently

Among organizations with no processes in place, 67% view TPRM as little more than a compliance formality — a figure that drops to just 13% among the most mature programs, where 26% report TPRM delivering high value across the organization.