The State of Play

AI procurement and vendor risk assessment is the practice of establishing standards, evaluation criteria, and ongoing monitoring frameworks to manage the risks of deploying third-party AI tools and services. As enterprises rapidly adopt generative AI, they face a new category of risk: the vendor itself may be unproven, opaque about its training data, misaligned with governance requirements, or operationally unstable. This practice sits at the intersection of security, compliance, and procurement — applying the vendor risk discipline (common in regulated industries like finance and healthcare) to the novel domain of AI tooling. The core tension is between adoption velocity and risk tolerance: enterprises want to move fast, but vendor risks in AI are still poorly understood.

By early June 2026, AI procurement and vendor risk assessment had crystallized into a practice defined by structural imbalances: rapid vendor ecosystem expansion colliding with governance frameworks still evolving. Vendor tooling maturity signaled by analyst recognition—EFROS independent benchmarking of 20 major AI vendors across 12 governance axes (BAA/DPA, ISO 42001, NIST AI RMF, state law readiness) now available for standardized procurement evaluation; Panorays and Exiger maintained Gartner Magic Quadrant Leader status; OneTrust and V7 Go released agentic risk assessment agents achieving 90% time savings per vendor assessment. Yet adoption velocity masked a critical fragility: 40% of AI startups launched in 2024 failed within 24 months, with Builder.ai collapse ($1.3B valuation, $445M raised) leaving customers stranded; inference costs consume 23% of revenue in AI-native businesses, making traditional unit economics fail at scale. Governance capability gaps widened in production: traditional TPRM frameworks (questionnaires, annual assessments) revealed as structurally insufficient for AI vendors—they assess vendor security but not vendor AI operating models; agentic AI introduces delegated execution (calling tools, updating records, triggering workflows) requiring authority-boundary controls absent from legacy procurement reviews. New risk categories emerged: AI sub-processor sprawl (approved vendors silently routing data to unapproved third-party AI models via features not caught in re-approval workflows); tool/extension supply-chain exposure (agentic systems collapse multi-step attacks into single-vector exploits via misconfigured tool permissions); model-version deprecation risks (vendors change model behavior post-purchase without SLA disclosure, requiring continuous monitoring rather than point-in-time due diligence). Regulatory acceleration compounded pressure: EU AI Act high-risk obligations enforce August 2, 2026 with Article 13 technical documentation and Article 26 log-retention requirements; DORA supervisory enforcement identified third-party risk (Articles 28-44) as the largest compliance gap with Register of Information data quality failures; California and federal procurement mandated new vendor governance controls. Paradoxically, frontier AI capability risks (ECB warning: models like Anthropic Mythos can reverse-engineer patches in 30 minutes) created asymmetric exposure—European procurement teams lack access to frontier testing infrastructure yet bear regulatory liability for vendor viability assessment. The core tension sharpened: vendor ecosystem expands, procurement adoption scales, governance frameworks mature, yet vendor viability assurance (not just performance assessment), runtime model-behavior monitoring (not just uptime SLAs), and architectural resilience to vendor failure remain binding constraints on tier advancement.

• 2024-Q2: Early vendor risk assessment frameworks emerging in healthcare; GRC platforms beginning to integrate AI-specific third-party risk intelligence; federal procurement struggling with pace-of-change and vendor transparency gaps.

• 2024-Q3: Structured third-party AI assessment guidance formalized by IAPP and enterprise vendors; government procurement pilots showing early productivity gains; widening evidence of vendor tool quality gaps and customer dissatisfaction highlighting real risks in vendor selection.

• 2024-Q4: AI procurement platforms reaching production scale with major enterprise deployments (Fairmarkit, Globality, Beroe); 94% adoption across procurement teams but only 35% reporting high impact; vendor risk management frameworks published by major firms (Debevoise, Aon); regulatory landscape solidifying (EU AI Act enforcement) but vendor transparency and standardized assessment criteria remain fragmentary.

• 2025-Q1: Industry standardization accelerates with Data & Trusted AI Alliance VAF framework providing shared language for vendor risk and value assessment; dedicated vendor risk tooling expands (OneTrust document scanning, OnTrust AI platform); critical evaluation frameworks and skepticism emerge over ROI sustainability and vendor transparency challenges.

• 2025-Q2: Vendor risk tooling matures with OneTrust spring release and proliferating practitioner frameworks (FS-ISAC, AIGL, ETA); federal policy shifts pro-innovation stance (M-25-21/22); Builder.ai collapse ($1.3B vendor insolvency) demonstrates supply-chain fragility; Deloitte survey shows early-stage adoption with hybrid approaches; critical analyses document hype-cycle downsides and adoption barriers (integration costs, legacy systems, expertise gaps); gap widens between framework standardization and enterprise implementation capability.

• 2025-Q3: Procurement AI adoption accelerates with Conduent deploying Fairmarkit; 50% of procurement teams using AI but 95% of pilots fail production (Gartner); large-firm AI adoption declines 14%→12% amid ROI challenges; US DOJ revamps procurement with cross-functional vendor vetting; Builder.ai fraud documented ($450M); recalibration evident as organizations struggle with integration complexity, vendor viability, and measured returns.

• 2025-Q4: Adoption breadth masks maturity gap: 100% of procurement leaders implemented AI but only 6% achieved advanced maturity (ProcureAbility); 80% saw no material GenAI ROI contribution (McKinsey); governance gap widens—81% lacking central control over vendor/AI tools. McKinsey survey of 300+ leaders highlights potential 25-40% efficiency gains but Gartner data shows 30% projects abandoned post-PoC. Government and enterprise frameworks mature (VAF, FS-ISAC, NIST AI RMF) but traditional procurement methods fail for probabilistic AI systems—new vendor assessment approaches emerging (Optiv, OMB M-25-15). Core tension sharpens: adoption velocity vs. governance capability and vendor viability assurance.

• 2026-Feb: Vendor risk assessment practice matures as formalized discipline with GA tooling (OneTrust AI-Ready Governance Platform + Fall 2025 Third-Party Risk Agent, enterprise frameworks); government procurement signals new vendor risk standards (DoW AI model parity mandate, GSA/Anthropic de-risking); production deployments confirm tooling value (Pima Community College 75% efficiency gain). However, NBER survey reveals critical ROI gap: 80%+ firms report zero measurable AI impact despite 69% adoption, undermining vendor value claims. Procurement shift accelerates: AI becomes top-3 strategic priority (Hackett Group), but only 11% of organizations report deployment readiness (ProcureAbility). Fundamental tension sharpens: vendor viability verification, governance execution capability, and proof of ROI remain binding constraints.

• 2026-May: Enterprise AI procurement criteria shifted from model accuracy to vendor infrastructure maturity, with market research confirming the change is now dominant across large buyers. An empirical study of 201 SaaS vendors documented how rapid AI embedding degrades traditional TPRM assessment quality and creates runtime control dependencies invisible to standard evaluation frameworks, while the Q1 2026 Enterprise AI Radar placed the entire governance layer (security, auditability, red-teaming) at Trial status—none at Adopt—confirming that vendor selection rigor is not keeping pace with deployment scale.

• 2026-Apr: Vendor risk assessment tooling reaches clear market maturity with new agentic capabilities. VRM market sizing $12.3B (2025)→$39B (2033); Panorays earns Forrester Wave Leader (agentic AI scores); UpGuard and V7 Go launch GA agentic vendor risk agents (90% time savings on assessments). Adoption accelerates to 73% piloting or scaling, 43% actively deploying. Production deployments scale: Pima CC 75% efficiency gain, procurement AI teams 3.7x more resilient to disruptions. Vendor selection criteria shift fundamentally: Stanford HAI 2026 AI Index shows capability parity across frontier models (all meet 95%+ of business requirements), collapsing performance-based differentiation; model transparency index fell from 58→40 in one year. Cyberhaven analysis finds 82% of top 100 most-used GenAI SaaS classified as medium/high/critical risk; 39.7% of data flows involve sensitive data. Supply-chain risk frameworks formalize: NIST AI 600-1 requirements now mapped to vendor questionnaire sections and contract controls for foundation model dependency management. Procurement evaluation gap identified: traditional RFP checklists and uptime SLAs fail for probabilistic systems; enterprises shift to 'bring-your-own-eval' methodologies with distributional scoring and model-change notification contracts. Enterprise procurement standards crystallize: three-group sign-off (deal, CISO, compliance) now required; ISO 42001 AI management certification table-stakes; data isolation and governance documentation first-round gating criteria. Policy accelerates: GSA draft clause GSAR 552.239-7001 imposes binding vendor obligations; California EO N-5-26 mandates state AI vendor certification; EU AI Act (Aug 2026) enforcement begins; export control enforcement escalates (Applied Materials $252M settlement, Super Micro indictment $2.5B). Vendor viability risk documented: Anthropic, OpenAI, Windsurf cases show unilateral access terminations with no appeals process and zero liability for downstream business losses. Critical capability gap persists: Ncontracts survey finds AI vendor risk parity with cybersecurity as top concern, yet 72% report only partial governance readiness; KPMG finds 95% have AI strategy but only 8% achieve measurable ROI; Forrester/Hackett show 69% confident in AI vision vs. 31% in execution. Binding constraints remain: vendor viability assurance, integrated governance capability across deal lifecycle, measured ROI proof, and data readiness (74% deploy despite acknowledging data unreadiness).

• 2026-Jun: Vendor solvency risk quantified as structural procurement constraint: 40% of AI startups fail within 24 months (Builder.ai collapse: $1.3B valuation, $445M raised), with inference costs consuming 23% of revenue making traditional unit economics unworkable. Traditional TPRM frameworks exposed as structurally insufficient—they assess vendor security but not vendor AI operating models, leaving agentic authority-boundary risks (delegated execution, tool permissions) uncovered. EFROS Q2 2026 index benchmarking 20 enterprise AI vendors across 12 governance axes signals standardized assessment frameworks emerging; meanwhile, continuous monitoring mandated by SOC2/ISO 27001/DORA Article 28 is displacing static annual reviews as vendor AI behavior changes weekly. ECB warning that frontier models can reverse-engineer patches in 30 minutes created asymmetric procurement exposure for regulated industries lacking frontier testing access.