Key Findings and Insights

• Preparedness is dangerously low: While 77% of CISOs see third-party risk as a major threat, only 21% have tested crisis response plans in place.

• Most organizations are blind to vendors: Although 60% report rising third-party breaches, just 41% monitor risk beyond direct suppliers.

• Shadow AI is creating new attack paths: Despite rapid AI adoption, only 22% of CISOs have formal vetting processes, leaving unmanaged third-party AI tools embedded in core environments.

• CISOs are dissatisfied with their compliance stacks: 61% of businesses have invested in GRC software solutions, yet 66% say these platforms are ineffective in dealing with the dynamic nature of external third-party supply chain risks.

• Static security assessments are no longer up to the job: 71% of CISOs admit that traditional questionnaires fall short of expectations, creating fatigue instead of visibility into the threat landscape.

Background

The report found there's a growing sense of urgency among CISOs due to the failure of traditional GRC platforms to manage third-party risk at scale. Almost two-thirds of organizations have invested in GRC tools, up from just 27% in the 2025 version of Panorays' report, yet overall visibility has declined, resulting in growing dissatisfaction about the ineffectiveness of these systems.

Visibility Is Being Prioritized, but CISOs' Hands Remain Tied

Fortunately, there are signs that organizations can close the visibility gap as more CISOs explore the use of advanced, AI-driven tools to improve their security posture. Adoption of AI for third-party risk management has surged, up from 27% a year ago to 66% this year. This shift has led to significant, but still alarmingly insufficient, growth in the ability of organizations to properly assess the third-party threat landscape. The 2026 survey found that 15% of CISOs now say they have full visibility into their software supply chains, up from just 8% a year earlier.

Sources

• https://securityonline.info/2026-study-from-panorays-85-of-cisos-cant-see-third-party-threats-amid-increasing-supply-chain-attacks/

• https://securityonline.info/spycloud-launches-supply-chain-solution-to-combat-rising-third-party-identity-threats/

• https://hackread.com/spycloud-launches-supply-chain-solution-to-combat-rising-third-party-identity-threats/