Your Company Has More Vendors Than You Think
Third Party Podcast: How to Manage Vendor Sprawl
Introduction
You cannot manage risk you cannot even see.
That single statement cuts to the heart of one of the most underestimated problems in third-party risk management (TPRM) today. Most organizations have significantly more vendors than they believe they do. Not slightly more. Dramatically more. And the gap between perceived vendor count and actual vendor count is exactly where attackers make their moves.
In this episode of Third Party, hosts Jeffrey Wheatman, Bob Maley, and Ferhat Dikbiyik take on vendor sprawl — what it is, why it keeps accelerating, and what the most effective security and risk teams are doing to get ahead of it.
The Vendor Count Problem Nobody Wants to Admit
Ask any audience of security professionals how many vendors their organization relies on. The answers are almost always wrong, and they are almost always too low.
A small company run out of a home kitchen can easily accumulate 36 vendors without any deliberate procurement strategy. A mid-size enterprise? Hundreds. A large enterprise with distributed business units, decentralized procurement, and a credit card in every department? The number can climb into the tens of thousands — and that is before accounting for the vendors those vendors rely on.
The Deloitte Global Third-Party Risk Management Survey puts hard numbers on this. Sixty percent of organizations work with more than 1,000 third parties. Thirty percent work with more than 10,000. And both of those figures are almost certainly understated, because they only capture the vendors organizations actually know about.
The ones they don't know about are the problem.
Shadow IT Is Not a New Problem. But the AI Version Is Worse.
Shadow IT has been a fixture of enterprise risk conversations for years. Employees download tools, add browser extensions, spin up SaaS accounts with a personal credit card, and connect data to platforms that have never been reviewed, assessed, or even acknowledged by IT or security.
The motivations are rarely malicious. People are trying to work faster, hit their numbers, and stay competitive in an environment where IT procurement timelines often run months behind business needs. When someone needs a tool today and the approval process takes three months, the path of least resistance wins.
But the modern version of this problem has a new layer: AI. Every SaaS platform has quietly plugged an AI feature into its stack. Every AI feature is backed by a model from a third party. That third party becomes part of your ecosystem whether you know it or not. A browser extension installed in under a minute can grant permissions to data across an entire identity stack, and when it stops being useful it rarely gets removed. It just sits there, still connected, still a risk.
This is the AI shadow IT problem, and it is accelerating faster than most programs have frameworks to handle.
Extended Ecosystems and the Limits of Discovery
Supply chain sprawl pushes the vendor count problem well beyond what any reasonable program can track manually. Consider a manufacturer with five production facilities in China. Each facility uses multiple logistics partners, multiple shipping lines, and connects to multiple ports on both ends of the ocean. The vendor relationships multiply at every node, and by the time you trace the full extended ecosystem, you are looking at hundreds of connections that no one owns and few people have visibility into.
The desk reservation app is a perfect illustration of how low-profile vendors become high-consequence risks. After remote work gave way to hybrid schedules, many large organizations adopted booking tools to manage limited office seating. One of those vendors experienced a breach, and credentials from a large enterprise customer were exposed as a result. The reservation app had never touched the third-party risk management process. It was not considered critical. Nobody had asked the questions.
That gap between "not critical" and "not assessed" is where breaches happen.
Full visibility is a goal worth pursuing, but honest practitioners know it is ultimately a myth. A salesperson running a customer outreach tool from a personal phone is, by definition, invisible to your enterprise discovery stack. The goal is not perfection. It is getting close enough to surface the highest-risk exposures before they become incidents.
AI Agents Are Vendors You Haven't Onboarded
The next frontier of vendor sprawl is not a SaaS platform or a browser extension. It is an agent.
As organizations deploy AI agents to automate workflows, each agent becomes a node in its own vendor web. An agent running on an LLM is connected to that model provider. If it pulls from an external data source to complete a task, that data source becomes part of your ecosystem. The agent itself may be assessing risk, accessing sensitive systems, or making decisions on behalf of your organization — while the underlying vendor relationships powering it have never been assessed, monitored, or even identified.
Non-human identities now outnumber human identities in many enterprise environments. These identities have access to systems, and they are multiplying. The notion that automation reduces vendor count is precisely backwards. Every agent you deploy potentially adds vendors to your environment that you have no current method to discover, let alone manage.
You cannot send a questionnaire to an agent. Even if you could, it would answer the way you expect it to. The practices that have anchored third-party risk management for the past decade are not built for this problem, and the gap is widening.
What the Best Teams Are Actually Doing
The answer is not to block everything. Organizations that take an absolutist stance on approved tools create a different kind of problem: they push employees toward workarounds, personal devices, and the exact shadow behavior they were trying to prevent. No policy has ever successfully eliminated human ingenuity when someone needs to get a job done.
The programs making real progress share a few characteristics.
They invest in discovery first. Before managing a vendor, you have to know it exists. Identity access data, endpoint detection tools, and SSO logs are often sitting in the stack already — they just need to be connected and read. The data is usually there. The process to surface it often is not.
They pair that discovery with continuous monitoring so new vendors don't slip back into the shadows after onboarding.
They build tiered approval processes that enable speed without sacrificing governance. A curated list of pre-assessed, pre-approved vendors, organized by role and category, lets employees move quickly without opening the door to unvetted risk. When an employee needs something that is not on the list, a lightweight business case and a fast-track review adds friction without becoming a wall.
They shift from observational TPRM to action-oriented TPRM. Identifying a problem is not the same as managing it. The industry has spent years sending reports upstream that say "here is a problem." The programs gaining ground are the ones building the next step into the workflow: here is the problem, and here is what happens next.
And they are rethinking what "critical" actually means. The instinct to focus monitoring resources on the largest, most regulated vendors with the most contractual leverage is understandable. It is also consistently where programs get surprised. The Target breach — still one of the most referenced third-party incidents in the industry — came through an HVAC vendor from Pittsburgh that did not appear on anyone's critical vendor list. Criticality based on inherent risk, without accounting for the controls actually in place, routinely misallocates attention toward lower-residual-risk relationships while higher-consequence exposures go unmonitored.
Agree or Disagree? What the Vendor Sprawl Debate Gets Wrong
Fewer vendors always equals less risk.
Not necessarily. Vendor consolidation reduces the number of relationships to manage, but it concentrates dependency. When a single vendor goes down and it is the only vendor doing a critical function, the business impact can be severe. Fewer vendors also often means more shadow IT, because the approved list is shorter and less likely to cover what employees actually need. Resilience and vendor count are in tension, and the right balance depends on the organization.
More tooling solves the visibility problem.
It can make it worse. The reflex to buy a new tool for every new problem is one of the most common failure modes in enterprise security programs. When four tools are doing overlapping work — bought by different departments with no coordination — the result is not more visibility. It is contradictory data, decision paralysis, and budget waste. Better tooling, applied with precision to specific problems, is different from more tooling applied as a substitute for strategy.
Procurement should be the gate for everything.
The argument for it is straightforward: if a vendor relationship involves spending money, procurement is already in the room. They track spend, enforce contract terms, and have leverage over onboarding. The argument against it is equally straightforward: procurement does not move at the speed the business often needs, and shadow IT exists largely because employees are working around processes that are too slow. Both things are true. The more useful framing may be that procurement should be the gate for everything that gets discovered — meaning that when a shadow vendor surfaces, the path to legitimacy runs through procurement, not around it.
DON'T MISS AN EPISODE!
Subscribe to Third Party on YouTube, the podcast for the people who don’t need to ask ChatGPT what TPRM means. New episodes every other week.
Next Time on Third Party
How do you actually put a dollar figure on a third-party breach? And what happens when those numbers hit your board?
Remember — cybersecurity doesn't thrive in the shadows. It demands daylight. Until next time
Subscribe below.
