Black Kite is a finalist in the 2026 SC Awards for continued innovation and leadership in third-party cyber risk intelligence.Learn more
blog

When AI Runs Your Vendor Risk Loop, Human Judgment Becomes the Differentiator

Published

Jun 8, 2026

Authors

Bob Maley

In this article

In this article

See Black Kite in action

Book a Demo

Introduction

This blog applies the third-party risk management lens to an argument I've been developing in longer form. If you want the full intellectual foundation, the Boyd history, the OODA misreads, and what it means for security leadership, read the original piece here: Boyd Got It Right.

AI just handed your third-party risk management (TPRM) program a massive upgrade. Continuous monitoring, automated vendor mapping, AI-assisted signal correlation. These capabilities used to require entire teams. Now they run in the background, around the clock, at a scale no analyst alone could match.

That's a good thing. But here's what it changes: when AI handles the pattern-matching, the work that's left (the decisions that still require a human) gets harder, not easier. The machine surfaces the signal. Your team still has to know what to do with it when the situation doesn't fit the existing playbook.

Your Program's New Job Description

Continuous vendor monitoring can surface a deteriorating cyber rating, flag a new ransomware signal, or trigger a tag the moment a critical vulnerability maps to a vendor in your ecosystem. That coverage is real. It removes the manual labor from pattern recognition against known threat signatures.

What it doesn't do is tell your team whether this vendor, in this moment, given your organization's specific concentration risk and operational dependencies, warrants a different response than the automated workflow prescribes.

That call requires the kind of judgment you build over time. Someone who knows the vendor relationship and understands what a compromise would cascade into downstream. Someone with enough domain experience to recognize when a clean signal is actually the beginning of something that doesn't fit the existing playbook.

That's the job now. The machine didn't eliminate it. It clarified it.

The Decision Framework That Changed How I Think About Security

John Boyd built a decision framework for fighter pilots in 1976. I've spent 15 years applying it to cybersecurity, and it's never been more relevant.

Boyd's OODA loop has four steps: Observe. Orient. Decide. Act. It's a clean model, simple enough to travel from fighter squadrons to business strategy. I encountered it in 2008 and recognized it immediately as a description of something I'd already been doing for decades.

But treating all four steps as equal is what Boyd called "bad OODA." In fact, he put Orientation at the center of everything. Your prior experience, your training, your ability to synthesize incomplete information under pressure — all of it goes into Orientation. 

I spent eight years as a cop before the next four decades in technology and security. I learned that reading a room incorrectly has immediate human consequences. That's the same instinct Boyd was building around.

He drew a line from Orient directly to Act, bypassing Decide entirely. For the practitioner who has seen enough variations of a situation, recognition and response become a single motion.

Back to AI. AI now runs the simplified loop better than any human team ever could. What it doesn't do is Orient like a human can, because effective orientation requires the willingness to destroy your own mental models when the evidence stops supporting them and rebuild a model that fits the actual situation in front of you.

That is not a technical skill that can be automated. And it's the skill your team needs most.

The Escalation That Lands on a Human Desk

The best-designed TPCRM programs aren't built to eliminate human judgment. They're built to protect it by ensuring that when something arrives requiring a real decision, the analyst receiving it has the context and tools to act on it correctly.

That means the automated layer has to earn trust. What erodes that trust? Alert fatigue. When analysts stop taking escalations seriously because the signal-to-noise ratio is off, the novel situation (the one that actually requires a human) gets missed.

This is where intelligence specificity becomes a structural advantage, not a feature. For example, here at Black Kite, we provide:

  • FocusTags® that map global threat events directly to the vendors in your ecosystem, not to a general risk category. When a new risk surfaces, you're not auditing 5,000 vendors. You're looking at the 12 that are actually exposed.
  • Ransomware Susceptibility Index® (RSI™) that identifies vendor likelihood to experience a ransomware attack, so your team can act before an incident.
  • Vulnerability Intelligence Brief™ (VIB™) that identifies which of your vendors run affected software and how exploitable that exposure actually is.
  • Adversary Susceptibility Index™ (ASI™) that monitors threat-actor targeting signals at the vendor level, so the escalation that lands on a human desk arrives with actual context, not just a flag.

These aren't alerts for the sake of alerts. They route the right information to the right person at the right moment, so when a human needs to make a call, they're making it with intelligence, not noise.

What TPCRM Leaders Need to Build Right Now

If AI is running your monitoring loop correctly, the question is no longer "how do we get coverage?" It's "how do we build the human capacity to handle what the machine can't?"

That means three things:

  • Invest in analyst development the same way you invest in platform capability. The practitioner who can recognize that a clean signal is the beginning of something new doesn't emerge from a compliance checklist. That judgment gets built through exposure to novel situations, supported by the right intelligence tools.
  • Design escalation workflows that preserve judgment rather than just route tickets. If your workflow delivers a flag without context, the human at the end of it is guessing. Guessing isn't judgment; it just looks like it.
  • Know your concentration risk and cascading risk exposure well enough that when something unusual arrives, your team can orient to it without a playbook that covers this exact scenario. Most programs can't do this yet. That's the gap.

The machine handles the pattern. Your team still owns the exception.

Build accordingly, and make sure the intelligence layer supporting your analysts is specific enough to actually earn their trust. See how Black Kite maps your third-party cyber risk in real time and routes what matters to the people who need to act on it.