Supply Chain Risks: 85% of CISOs Blinded to Threats

Third-Party Cyber Risk Soars: New Report Reveals Alarming Visibility Gaps

New York, NY – January 26, 2026 – A newly released report from Panorays reveals a dramatic increase in third-party cyber incidents, coupled with a critical lack of visibility among organizations attempting to manage these escalating threats. The 2026 CISO Survey for Third-Party Cyber Risk Management highlights a dangerous disconnect between perceived risk and actual preparedness, leaving businesses increasingly vulnerable to supply chain attacks.

The survey, based on insights from 200 Chief Information Security Officers (CISOs) across key US industries, underscores a growing crisis in third-party risk management. While a significant 60% of CISOs report a rise in breaches originating from their vendor ecosystems, a mere 15% claim to possess a comprehensive understanding of their exposure. This alarming statistic points to a systemic failure in assessing and mitigating the complex web of interconnected risks inherent in modern supply chains.

The Expanding Attack Surface: Why Third-Party Risk Matters

Third-party risk isn’t a new concern, but its complexity and potential impact are rapidly escalating. Organizations increasingly rely on a vast network of vendors, suppliers, and partners to deliver essential services and products. Each of these connections represents a potential entry point for malicious actors. A single vulnerability within a seemingly innocuous third-party provider can cascade into a catastrophic breach, impacting not only the organization itself but also its customers and partners.

Traditional Governance, Risk, and Compliance (GRC) platforms, while valuable for internal controls, are proving inadequate for the dynamic and interconnected nature of modern supply chains. As the report indicates, 61% of businesses have invested in GRC solutions, yet 66% find them ineffective in addressing external third-party risks. This disconnect forces security teams to rely on manual processes, increasing the likelihood of overlooked vulnerabilities and delayed responses.

Shadow AI: A New Frontier of Risk

The rapid adoption of Artificial Intelligence (AI) is introducing a new layer of complexity to the third-party risk landscape. The survey reveals that only 22% of CISOs have established formal vetting processes for third-party AI tools, leaving organizations exposed to “shadow AI” – unmanaged AI applications embedded within core environments. A staggering 60% of respondents identified shadow AI as a uniquely risky area, creating a significant blind spot for security teams.

What steps can organizations take to proactively address the risks posed by shadow AI within their supply chains? And how can security leaders balance the benefits of AI innovation with the need for robust security controls?

The GRC Plateau and the Rise of AI-Driven Solutions

CISOs are increasingly dissatisfied with their current compliance stacks, recognizing their limitations in managing the evolving threat landscape. While investment in GRC software is growing, its effectiveness is waning. This dissatisfaction is driving a shift towards AI-driven assessment tools, with adoption surging from 27% to 66% in the past year.

However, even with the adoption of AI, significant challenges remain. Despite progress, only 15% of CISOs report having full visibility into their software supply chains, leaving 85% operating with incomplete information. This lack of comprehensive visibility underscores the urgent need for more sophisticated and proactive risk management strategies.

Left to right: Panorays Co-founders Meir Antar (COO), Matan Or-El (CEO) and Demi Ben-Ari (Chief Strategy Officer)

“Our findings show that third-party security vulnerabilities aren’t going away – in fact, they’re becoming more prevalent due to a dangerous lack of visibility and the rampant adoption of unmanaged AI tools,” said Matan Or-El, founder and CEO of Panorays. “Meanwhile, it’s especially alarming that only 15% of CISOs say they have the ability to map out their entire supply chains.”

“The rise of AI has only made supply chains more complex, and the connected nature of these data-dependent systems is expanding the attack surface,” Or-El continued. “CISOs are increasingly seeing the value of AI-driven solutions to increase clarity around the evolving threat landscape.”

Frequently Asked Questions About Third-Party Cyber Risk

• What is third-party cyber risk?

  Third-party cyber risk refers to the potential for a security breach or disruption originating from an organization’s vendors, suppliers, or other external partners. These risks can stem from vulnerabilities in the third party’s systems, data security practices, or access controls.

• How can organizations improve their third-party risk management?

  Improving third-party risk management requires a comprehensive approach, including thorough vendor assessments, continuous monitoring, robust contracts with security clauses, and incident response planning. Utilizing AI-driven tools can significantly enhance visibility and automation.

• What role does AI play in third-party risk management?

  AI can automate many aspects of third-party risk management, such as vulnerability scanning, risk scoring, and continuous monitoring. AI-powered tools can also identify emerging threats and provide actionable insights to security teams.

• Why is visibility into the supply chain so critical?

  Visibility into the entire supply chain is essential for identifying and mitigating potential risks. Without a clear understanding of all interconnected parties, organizations are vulnerable to hidden threats and cascading breaches.

• Are traditional GRC platforms sufficient for managing third-party risk?

  Traditional GRC platforms often fall short in addressing the dynamic and complex nature of third-party risk. They typically lack the real-time monitoring and automated assessment capabilities needed to effectively manage a large and evolving network of vendors.

About the 2026 CISO Survey

The 2026 CISO Survey was conducted in October 2025 by Global Surveyz on behalf of Panorays. The survey included responses from 200 Chief Information Security Officers from US-based companies across the finance, insurance, professional services, technology, healthcare, and software development sectors.

About Panorays

Panorays is a global provider of third-party cybersecurity management software, serving over 1,000 customers worldwide. The company helps organizations optimize their defenses and proactively address emerging threats. Panorays is headquartered in New York and Israel, with offices globally, and is backed by leading investors including Aleph VC, Oak HC/FT, and Greenfield Partners. For more information, visit panorays.com or contact [email protected].