A new survey from Panorays paints a troubling picture of the state of third-party security risk management. Despite growing awareness of supply chain vulnerabilities, most security leaders still can’t see what’s coming through their back door. Panorays is a global provider of third-party cybersecurity management software. The 2026 CISO Survey for Third-Party Cyber Risk Management, based on responses from 200 US-based Chief Information Security Officers, reveals a striking disconnect between perceived threats and actual preparedness.
While 60% of CISOs report an increase in third-party security incidents over the past year, only 15% say they have full visibility into those risks. The remaining 85% are operating with significant blind spots.
This visibility gap is creating real exposure. Organizations without clear sight lines into their supply chains are increasingly susceptible to prolonged outages, exposure of sensitive systems, financial losses, and compliance violation penalties. Without proper monitoring, even minor incidents have the potential to spiral out of control.
The survey was conducted in October 2025 by Global Surveyz, an independent research company, on behalf of Panorays. The sample included 200 Chief Information Security Officers from US-based companies in finance, insurance, professional services, technology, healthcare and software development sectors. All respondents are full-time employees responsible for overseeing third-party cybersecurity risk management within their organizations.
Awareness is high, but preparedness remains dangerously low
The survey found that 77% of CISOs recognize third-party risk as a major threat to their organizations. Yet only 21% have tested crisis response plans in place. This gap between recognition and readiness suggests that many organizations are waiting for a breach to happen before taking action.
The problem extends beyond direct suppliers. Although 60% of respondents report rising third-party breaches, just 41% monitor risk beyond their immediate vendors. This means CISOs are watching the front door while the biggest risks are lurking in the background—in fourth-party and fifth-party relationships that most security teams never examine.
“Our findings show that third-party security vulnerabilities aren’t going away—in fact, they’re becoming more prevalent due to a dangerous lack of visibility and the rampant adoption of unmanaged AI tools,” said Matan Or-El, founder and CEO of Panorays. “Meanwhile, it’s especially alarming that only 15% of CISOs say they have the ability to map out their entire supply chains.”
Shadow AI: The new blind spot
One of the most concerning findings involves artificial intelligence. Despite rapid AI adoption across enterprises, only 22% of CISOs have formal vetting processes for AI tools. This leaves unmanaged third-party AI systems embedded in core environments without proper security scrutiny.
The risk is significant: 60% of respondents identified unmanaged AI tools as uniquely dangerous. Teams are adopting black-box AI tools faster than security teams can evaluate them, creating a growing blind spot as high-risk third-party systems are granted access to IT environments without oversight.
“The rise of AI has only made supply chains more complex, and the connected nature of these data-dependent systems is expanding the attack surface,” Or-El noted. “CISOs are increasingly seeing the value of AI-driven solutions to increase clarity around the evolving threat landscape.”
GRC platforms are failing security teams
Here’s where the findings get particularly interesting: companies are investing heavily in security tools, but those tools aren’t delivering results.
The survey found that 61% of businesses have invested in Governance, Risk, and Compliance (GRC) software solutions—a dramatic increase from just 27% in Panorays’ 2025 report. Yet despite this surge in adoption, 66% of CISOs say these platforms are ineffective at dealing with the dynamic nature of external third-party supply chain risks.
The result? Security teams are forced to rely on manual workarounds, increasing the likelihood that vulnerabilities slip through the cracks. More spending isn’t translating into better visibility. Something in the current approach isn’t working.
Traditional security assessments are also falling short. A full 71% of CISOs admit that traditional questionnaires no longer meet expectations. Instead of providing visibility into the threat landscape, these static assessments are creating fatigue—endless forms that generate compliance paperwork but fail to surface actual risks.
AI-driven tools gaining traction
Despite the bleak overall picture, there are encouraging signs that organizations are adapting. CISOs are increasingly turning to AI-driven assessment tools as an alternative to failing legacy approaches. Adoption of AI for third-party risk management has surged from 27% a year ago to 66% this year.
This shift is producing measurable results. The percentage of CISOs reporting full visibility into their software supply chains has improved from just 3% in 2025 to 15% in 2026. That’s a fivefold increase in one year.
But perspective matters here. While the progress is real, 85% of organizations still lack a complete view of their overall threat landscape. Moving from 3% to 15% is an improvement. It’s not a success.
The path forward
The survey’s findings point to a fundamental challenge in modern cybersecurity. Supply chains are becoming more complex, not less. The proliferation of AI tools—both sanctioned and shadow—is expanding the attack surface faster than security teams can map it. And the tools that organizations have invested in over the past decade weren’t designed to manage dynamic, interconnected third-party risks at scale.
For CISOs, the message is clear: awareness without visibility is not enough. Crisis plans that haven’t been tested aren’t really plans. And watching only direct suppliers while ignoring the broader ecosystem is a strategy that leaves too many doors unguarded.
The organizations that close this gap will be the ones that move beyond checkbox compliance toward continuous, AI-assisted monitoring of their entire supply chain. The 85% that don’t will continue flying blind—until something forces them to see.
