New 937 Comments and One Uncomfortable Consensus — NIST's AI agent security findings Read it →
Home Ghost Watch April 25, 2026
Agentic AI and Third-Party Risk: Your TPRM Framework Was Never Built for Software That Acts on Its Own

Agentic AI and Third-Party Risk: Your TPRM Framework Was Never Built for Software That Acts on Its Own

Around 80% of organizations have already seen AI agents behave badly — including unauthorized system access and improper data exposure. Meanwhile, the SaaS vendors you already use are switching agents on by default. SOC 2 reports say nothing about what an agent does at runtime.

Hari Asok April 25, 2026 Ghost Watch

Third-party risk management was designed for vendors and the systems they run. It was not designed for autonomous software actors that make their own decisions inside those systems. As enterprise vendors switch AI agents on by default, that gap is becoming the most under-assessed exposure in many financial firms' vendor portfolios.

Why it matters

The agents are already misbehaving, and they are already inside relationships firms thought they had assessed. A briefing developed with Stanford's Trustworthy AI Research Lab and input from more than 40 security executives reported that 80% of organizations surveyed had experienced risky agent behaviors — including unauthorized system access and improper data exposure — while only 21% of executives reported complete visibility into agent permissions, tool usage, or data access patterns.

The structural mismatch

TPRM frameworks classify risk by vendor relationship type and lean on standard instruments: SOC 2 reports, security questionnaires, penetration testing. None of these assesses agent behavior at runtime. A single SaaS vendor can now deploy dozens of agents with varying access scopes and autonomy levels, well beyond what any quarterly vendor review can track.

A CSA/Token Security survey published April 21, 2026 found that 82% of enterprises have unknown AI agents running in their IT infrastructure, and only 21% have formal decommissioning processes in place.

The contrarian read

The danger is not the agent breaking in — it is the agent being invited in. Agents authenticate with real credentials and broad, persistent access rather than scoped, time-limited permissions, often using shared static API keys that make it impossible to attribute an action to a specific agent. The threat is not a stranger at the perimeter. It is a trusted, over-permissioned actor already operating inside the estate.

What's next

Give agents their own seat in the TPRM taxonomy. Four minimums worth treating as non-negotiable in any vendor agreement that includes AI agents: documented agent scope; an agent identity register; runtime logging the firm can obtain and review; and the right to terminate agent access independently of the broader vendor relationship — a kill switch that does not require unwinding the entire contract.

agentic-aiTPRMvendor-risknon-human-identityleast-privilegeZero-TrustCISO
Sources & Further Reading

Ghost Watch in your inbox

Regulatory signals and analysis, when there is something worth saying. No fixed cadence.