Top 5 TPRM Predictions for 2026: What Cybersecurity Leaders Need to Know

Episode Recap

As global supply chains become digital battlegrounds, Black Kite experts Jeffrey Wheatman SVP Cyber Risk Strategist, Bob Maley, Chief Security Officer, and Ferhat Dikbiyik, Chief Research and Intelligence Officer, reveal five predictions that will redefine how organizations manage vendor and ecosystem risk in 2026.

The Shifting Cyber Battleground: Why Your Scorecards Are Failing

The warning signs are already here.

In 2024, third-party risk moved from a back-office concern to a board-level issue. Black Kite’s The Silent Breach, our 2025 Third-Party Breach Report, uncovered that: 

• Third parties became the biggest cyber threat in 2024. 
• More than half of all third-party breaches stemmed from unauthorized network access.
• Two-thirds of known third-party attack methods are tied to ransomware. 

These weren’t isolated incidents; they were systemic failures across shared ecosystems — proof that the cyber battleground has shifted decisively into the supply chain.

Digging deeper into ransomware, our 2025 Ransomware Report revealed that:

• Publicly disclosed ransomware victims surged to 6,046 organizations worldwide — a staggering 25 percent jump year over year and a 123 percent rise in just two years. 
• Much of that damage didn’t stem from direct attacks but from vulnerabilities buried deep within vendor networks.

And as our 2025 Supply Chain Vulnerability Report made clear, the technical debt behind those breaches keeps growing: 

• More than 40,000 vulnerabilities were published in 2024, a 38 percent year-over-year (YoY) increase. 
• Of these, 780 are high-priority vulnerabilities, meaning those that threat actors actively exploit and are widely used enterprise software, cloud services, and third-party dependencies, making their mitigation crucial for supply chain security. 

Zeroing in on the ones that matter most to your vendor ecosystem’s cybersecurity is critical.

Together, these reports paint a picture of third-party ecosystems under siege. The question now isn’t whether third-party and supply-chain attacks will escalate, but how they will escalate and how organizations will adapt to survive them.

As we enter 2026, Black Kite’s cyber risk experts share their predictions for what’s next in Third-Party Risk Management (TPRM), from boardroom accountability and AI disruption to ransomware’s evolving threat landscape.

1. The Eight-Figure Manufacturing Meltdown

"One major manufacturer will suffer an eight-figure financial loss from a supply-chain cyber incident." 

– Jeffrey Wheatman, SVP Cyber Risk Strategist, Black Kite

Most manufacturers continue to focus on traditional supply chain risks, such as labor shortages, safety compliance, sanctions violations, and logistics disruptions, as these challenges are highly visible, heavily regulated, and long-standing compliance priorities. In contrast, cyber risks within the supply chain (vulnerabilities, ransomware susceptibility, and other digital exposures) are often underprioritized. 

This is evident by the fact that manufacturing remains ransomware’s number-one target for the fourth consecutive year with supply chain exposure being a significant driver. Given this, we predict to see one major manufacturer suffer an eight-figure financial loss from a supply chain-related cyber incident in 2026.

Implication: Manufacturers must elevate cyber risk to the same level as safety and logistics risk, investing in continuous monitoring of supplier networks and quantifying potential financial exposure.

2. The AI Vendor Consolidation: Who Survives the Purge?

"50% of AI vendors will fail as rising costs drive consolidation."

– Jeffrey Wheatman, SVP Cyber Risk Strategist, Black Kite

By the end of 2026, we predict that as much as half of today’s AI vendors will go out of business, leaving customers stranded with unsupported and deeply embedded technologies. The market is oversaturated with small AI startups, many founded by lean teams and backed by short funding cycles, that will be unable to survive intense competition and cost pressures. 

The cost of computers is being driven up by major AI providers like OpenAI, Anthropic, and Google, which will force consolidation. This consolidation will also reshape the broader business landscape. Smaller and mid-sized companies will find themselves priced out of embedding AI into their operations, unable to compete or innovate at the pace of larger, better-funded enterprises.

Implication: As the AI market contracts, vendor failure will become a new form of supply chain risk. TPRM teams must assess AI partners not only for technical capability, but for long-term stability, funding strength, and data governance maturity. The collapse of an embedded AI vendor could disrupt operations, create unmonitored data exposure, and cascade through your entire digital ecosystem.

3. Boardroom Accountability: Moving Past the "Check-the-Box" Era

"Third-party and supply-chain cyber risk will become a boardroom priority."

– Jeffrey Wheatman, SVP Cyber Risk Strategist, Black Kite

We predict that supply-chain and third-party cybersecurity risk will move firmly into the boardroom agenda in 2026. Recent high-profile incidents, including the F5, Salesloft/Drift, breaches, Jaguar Landrover and Asahi breaches, have demonstrated how a single vendor failure can trigger widespread operational disruption and reputational damage across the supply chain. 

As a result, boards are beginning to view supply-chain resilience not as a technical concern, but as a fundamental business risk. Expect to see boards ask CSO/CISOs to include visibility into cyber risk in their supply chains and to share high risk exposures, along with greater investment in continuous vendor monitoring and the ability to quickly mitigate potential exposures. 

The conversation will evolve from “Do we have controls in place?” to “How do we continuously validate the cyber health of our entire ecosystem?” 

Implication: To capture board attention, TPRM teams must translate technical risk into business terms. Using cyber risk quantification to express third-party exposure in financial impact enables leaders to understand, prioritize, and act on risk as they would any other enterprise threat — aligning cybersecurity with business performance and strategy.

4. The AI Security Gap: Innovation vs. Exposure

"The rush to adopt AI will outpace security, expanding risk across the supply chain."

– Bob Maley, Chief Security Officer, Black Kite

The rapid push to embed AI into every workflow, driven by top-down pressure to innovate, increase productivity, and stay competitive, will create increased opportunities for attackers. While some companies will attempt to impose strict AI governance requirements, existing AI risk frameworks remain fragmented and inconsistent across industries.

For many, assessing AI vendors and your vendors’ use of AI remains a highly manual and complex process, often viewed as too disruptive to procurement and innovation. As businesses across all industries integrate AI vendors at record speed, threat actors will increasingly exploit the expanding web of interconnected AI systems. Every layer of the supply chain is now experimenting with AI, multiplying exposure across ecosystems. Small, specialized AI providers with deep data access but weak security will become high-risk links throughout the vendor network.

Implication: Add AI vendor use as a new layer in your TPRM assessments, as your vendors’ AI models may be your next attack surface. Use a global AI assessment framework to evaluate how AI is being deployed across your ecosystem, uncover hidden dependencies, and identify emerging risks before they escalate.

5. Ransomware 2.0: The Rise of the Super-Collectives

"Ransomware will surge as threat groups consolidate." 

– Ferhat Dikbiyik, Chief Research and Intelligence Officer, Black Kite

Following last year’s law enforcement takedowns of several major ransomware groups, we’re seeing smaller operators now merging to form larger, more capable collectives. Historically, when dominant groups are dismantled, a surge in ransomware attacks follows, and 2026 will be no different. 

Ransomware campaigns will increasingly target interconnected supply chains, disrupting operations across entire ecosystems. Manufacturing, already ransomware’s number-one target, will remain at the top of the list as attackers exploit its vast, connected networks.

Implication: Organizations must plan for ransomware not as a single-incident threat but as a cascading ecosystem risk. Building true resilience means identifying which third parties are most at risk to enable proactive mitigation before an attack ever begins.

How to Adapt Your TPRM Program in 2026

2026 will mark a turning point in how organizations view and manage third-party cyber risk. The future won’t belong to those who react fastest after a breach — it will belong to those who see it coming.

As the supply chain becomes the new frontline of cybersecurity, resilience will depend on three things: continuous visibility, reliable risk intelligence, and the ability to turn data into action. That’s the evolution Black Kite was built for — and it’s the one that will define 2026.

DON'T MISS AN EPISODE!

Subscribe to Third Party on YouTube, the podcast for the people who don’t need to ask ChatGPT what TPRM means. New episodes every other week.

Next Time on Third Party

Next time, we’re asking a bigger question: Does risk management need a brain, or just a better model? You don’t want to miss this one. Subscribe now.