NASHVILLE, Tenn.— Financial institutions are managing third-party risk with lean staffs, flat budgets and growing concern over vendor AI exposure, according to Ncontracts’ 2026 State of Third-Party Risk Management Survey, which found most programs are overseeing hundreds of vendors with just one or two full-time employees.
The report, based on responses from financial services professionals surveyed between November 2025 and January 2026, said 63% of third-party risk management programs operate with one to two dedicated employees, 14% have no dedicated staff at all, and 51% oversee 300 or more vendors.
For banks and credit unions, one of the most notable findings is that AI has now tied cybersecurity as the top third-party risk concern. The report said 72% of institutions are only partially aware of which vendors use AI, 16% have not assessed vendor AI usage at all, and no organization surveyed said it feels “extremely confident” in its ability to identify and manage AI-related risks.
The concerns most likely to resonate with FIs center on core compliance and customer-risk issues. Ncontracts found respondents ranked data privacy and security as their top AI-related vendor concern at 83%, followed by compliance and regulatory risk at 66%, operational risk at 61%, the “black box” explainability problem at 54%, and bias and fairness at 44%. The report notes that for institutions subject to fair-lending laws or required to explain credit denials, that lack of explainability can create legal exposure.
The survey also found third-party cyber incidents have become routine. Just over half of organizations—about 52%—said they experienced some form of third-party incident during the past 12 months, up from 46% a year earlier. Most were low-impact incidents, but the report said the real strain often comes from the time spent investigating issues, coordinating with vendors, implementing workarounds and restoring services.
Another finding likely to interest smaller financial institutions is the continued shift away from manual vendor-risk processes. The report said 85% now use TPRM software as their primary tool, while just 10% still rely on Excel or Google Sheets. Institutions using manual processes were more likely to be told during exams that improvements were required, and the report said manual-process users are significantly more likely to receive exam findings and less likely to view TPRM as delivering strategic value.
On governance, the report said 52% of institutions place TPRM under risk management or compliance, while the hybrid operating model—where a central team sets standards and business lines handle day-to-day vendor relationships—has become the dominant structure. Sixty percent now use the hybrid model, up 15% from 2025, which Ncontracts said reflects a growing recognition that centralized models do not scale well as vendor inventories expand.