A new global study reveals widespread AI integration in enterprises, yet many organisations lack visibility and consistent governance for third-party AI, exposing critical vulnerabilities amid evolving regulations.
Ask any board whether artificial intelligence is on the agenda and the answer is invariably yes; ask how confident they are about their vendors’ use of AI and the picture is far less clear. According to the original report and accompanying analysis, HTF Research’s global study , sponsored by Mitratech , finds AI spreading rapidly through enterprises while visibility into third‑party AI remains a persistent blind spot. [1][2]
The study shows governance maturity varying widely by sector and size. Industry data indicates highly regulated sectors such as banking, asset management and insurance report stronger frameworks, while many corporates, brokerages and energy firms lag behind. Frameworks including the EU AI Act, NIST AI RMF and emerging standards such as ISO 42001 are becoming common alignment points, but adoption is uneven. [1][4][7]
A central finding is the limited inclusion of vendor AI in organisational AI inventories. Many firms , particularly in the UK , exclude third‑party AI from their registers, leaving risk and compliance teams unable to monitor or verify vendor use. This phenomenon echoes the MIT Sloan analysis of “shadow AI” and is amplified by fast software release cycles that frustrate inventory management. [1][2][4]
Governance and third‑party risk management (TPRM) frequently operate in parallel rather than as integrated functions. The research finds some banking and asset management firms have begun integrating AI oversight into TPRM, but most organisations still treat AI risk as siloed from routine third‑party reviews. Industry reporting shows only a small number of vendors have been terminated for AI‑related concerns, underscoring weak contractual and evidential levers. [1][3][6]
Confidence levels are low: most organisations rate their readiness to manage third‑party AI risk around 2–3 out of 5. Many compliance teams assess fewer than 100 vendors for AI risk and do not require vendor disclosure of AI governance policies. Mitratech’s broader TPRM research also highlights chronic resource constraints, with many teams understaffed and covering only a fraction of their vendor base. [1][3]
Boards are increasingly engaged and budgets are shifting accordingly. The study reports that a majority of boards have requested AI‑risk updates in the last year, and many organisations plan to raise AI governance spend in the next 12–18 months. Gartner and KPMG findings reinforce this trend, noting accelerating demand for TPRM technology and continuous monitoring as organisations face a “perfect storm” of regulatory and operational pressures. [1][5][6]
Regulatory readiness is a pressing concern. Not a single respondent rated themselves as “very prepared” for emerging AI rules, and outside finance most firms do not require vendors to meet the same internal AI governance standards. Cross‑regional research shows regulatory approaches differ , the EU emphasises structured transparency, the US relies on sectoral regimes, the UK pursues flexible sectoral guidance and China favours centralised directives , complicating a simple, global compliance strategy. [1][7]
There is clear appetite for unified solutions that bind AI governance and TPRM. North America and APAC show particular interest in platforms that centralise inventories, automate monitoring and standardise evidence collection, but current adoption of automated model monitoring remains low. KPMG and Mitratech both highlight the shift from periodic reviews to continuous, intelligent oversight as necessary to manage scale and detect drift, bias or control failures in real time. [2][5]
For risk and compliance leaders the report recommends four priorities: drive visibility across internal and vendor ecosystems; embed AI governance into TPRM workflows with shared controls and standard evidence; move from point‑in‑time assessments to continuous monitoring and performance tracking; and align controls to major regimes such as the EU AI Act to achieve broad regulatory coverage. Acting on these areas will convert an invisible exposure into a governed asset. [1][2][5]
If firms do not broaden governance beyond their firewall, compliance will increasingly be constrained by the weakest supplier. The convergence of board oversight, investment momentum and technological capability offers a narrow window: organisations that integrate governance, improve vendor transparency and deploy continuous monitoring will be best placed to manage the next wave of AI‑driven change. [1][6][3]
📌 Reference Map:
##Reference Map:
- [1] (JD Supra / HTF Research) – Paragraph 1, Paragraph 2, Paragraph 3, Paragraph 4, Paragraph 5, Paragraph 6, Paragraph 7, Paragraph 8, Paragraph 9, Paragraph 10
- [2] (Mitratech blog) – Paragraph 1, Paragraph 3, Paragraph 8, Paragraph 9
- [3] (GlobeNewswire / Mitratech TPRM Study) – Paragraph 5, Paragraph 6, Paragraph 10
- [4] (MIT Sloan Management Review) – Paragraph 2, Paragraph 3
- [5] (KPMG report) – Paragraph 6, Paragraph 8, Paragraph 9
- [6] (Gartner press release) – Paragraph 6, Paragraph 10
- [7] (arXiv cross‑regional study) – Paragraph 2, Paragraph 7
Source: Noah Wire Services
Noah Fact Check Pro
The draft above was created using the information available at the time the story first
emerged. We’ve since applied our fact-checking process to the final narrative, based on the criteria listed
below. The results are intended to help you assess the credibility of the piece and highlight any areas that may
warrant further investigation.
Freshness check
Score:
8
Notes:
The narrative references a global study by HTF Research, sponsored by Mitratech, indicating recent findings. The earliest known publication date of the study is June 25, 2025, as reported by GlobeNewswire. The JD Supra article was published on December 5, 2025, suggesting the content is fresh. However, the presence of multiple references to the same study across different platforms may indicate recycled content. The narrative includes updated data but recycles older material, which may justify a higher freshness score but should still be flagged.
Quotes check
Score:
9
Notes:
The narrative includes direct quotes from the Mitratech study and other reputable sources. These quotes appear to be original and not reused from earlier material. No identical quotes were found in earlier publications, suggesting originality.
Source reliability
Score:
7
Notes:
The narrative originates from JD Supra, a platform that republishes content from various sources, including Mitratech. While JD Supra is a known platform, its content is user-generated and may not always undergo rigorous editorial review. The Mitratech study is a primary source, and its findings are credible. However, the JD Supra article’s reliability is moderate due to its nature as a republishing platform.
Plausability check
Score:
8
Notes:
The claims made in the narrative align with findings from reputable sources, such as the Mitratech study and KPMG’s report on AI in third-party risk management. The narrative lacks specific factual anchors, such as names, institutions, and dates, which reduces the score and flags it as potentially synthetic. The tone and language used are consistent with professional industry reports, suggesting plausibility.
Overall assessment
Verdict (FAIL, OPEN, PASS): OPEN
Confidence (LOW, MEDIUM, HIGH): MEDIUM
Summary:
The narrative presents findings from a recent Mitratech study, indicating a fresh perspective on third-party AI governance. However, the presence of recycled content and the moderate reliability of the JD Supra platform raise concerns. The lack of specific factual anchors and the potential for synthetic content further complicate the assessment. Given these factors, the overall assessment is OPEN with medium confidence.
Supercharge Your Content Strategy
Feel free to test this content on your social media sites to see whether it works for your community.
