AI-Powered Third Party Risk Management

As hackers increasingly gain access through partners and suppliers (third parties), Third Party Risk Management (TPRM) is becoming more critical. Organizations are more dependent than ever on the cybersecurity maturity of the parties they work with. Regulators are responding by setting explicit requirements for TPRM, such as those found in DORA and NIS2 regulations. This leads to increased compliance pressure: organizations face a growing workload to properly implement TPRM. Much of this work is manual and error-prone—think of reviewing outdated contracts, assessing questionnaires, requesting assurance reports, and validating partners.

In practice, knowledge sharing between organizations varies widely. Long questionnaires and mandatory documentation are exchanged back and forth, and every requirement, document, and response must be manually reviewed before determining compliance. Meanwhile, regulatory pressure continues to grow, resulting in even more paperwork, questionnaires, and control layers. All of this must be handled with limited resources—people, time, and budget—which increases the risk of mistakes. Importantly, clients must deliver assurance faster, and suppliers must respond more consistently to avoid delays in deals and renewals.

At KPMG, we help organizations make their TPRM function more efficient and resilient using AI—without removing people from the process.

• Contract Management: AI language models compare clauses with current requirements and best practices, highlight gaps (e.g., incident reporting timelines, patch SLAs), and suggest concrete edits. Legal teams stay in control but start with a commented draft instead of a blank page.

• Compliance Support: Submitted documents such as SOC/ISAE reports and pentest results are automatically summarized into relevant controls and residual risks. Clients can prioritize faster; suppliers see in advance where their documentation has gaps. Review cycles shrink from weeks to days or even hours.

• Discovery and Live Register (3rd and 4th parties): External signals (e.g., RiskRecon) automatically link domains, certificates, and assets to suppliers and subprocessors. This creates a dynamic supplier register that flags changes (e.g., new subprocessors, expired certificates). By combining trends, AI also provides predictive insights into hotspots that require extra attention.

TPRM with AI requires clear roles, processes, and governance. KPMG supports organizations in setting up governance structures, training teams, and integrating AI outcomes into existing GRC and contract management systems. Where appropriate, we collaborate with partners like RiskRecon.

Our principle is clear: AI reduces administrative burden and improves quality and auditability—but it doesn’t replace human judgment. People make the decisions; AI ensures they can do so faster and with better evidence.