Every year, Whistic surveys hundreds of Risk-Management and Information Security leaders to understand the trends, challenges, and opportunities that are actively shaping the third-party risk management (TPRM) industry. The TPRM Impact Report is a comprehensive overview and analysis of our survey findings—including stats and insights on everything from third-party breaches and resource allocation to vendor experience and AI.

And the results are in for 2025.

The story that emerges this year is one of growing complexity for TPRM teams—more vendors, more stakeholders, greater demand, and stretched resources. The data reveals a widening gap between TPRM investment and impact, and the report shines a light on areas where processes are breaking down. But we also see an eagerness to innovate, with forward-looking teams adapting with new solutions and modernizing their approach to meet the moment.

We’ve distilled this year’s report into three core trends (and maybe a bonus trend or two) that provide a snapshot of our industry. We’ll take a look at these key takeaways and what they mean for your business in 2025.

But first, a word on how the Impact Survey is created.

How is the TPRM Impact Report Built?

Whistic collects survey data (in partnership with Centiment, who helps to identify qualified respondents and administers the survey) from a targeted community of Risk Management and Information Security leaders. Our survey targets nearly 50 unique aspects of TPRM strategy, tactics, and execution for a comprehensive view of each company’s approach.

Here’s a quick profile for respondents to the 2025 survey:

525 total respondents
100% have budgetary and decision-making authority over TPRM (C-Suite: 20%; VP: 8%; Director: 42%; Manager: 30%)
Each company surveyed has at least 500 employees (500-2,500 employees: 50%; 2,500-7,500 employees: 41%; 7,500+ employees: 9%)
This survey is industry-agnostic

With this in mind, let’s move on to the key trends from this year’s report.

1. Vendor inventories are growing. So is vendor risk.

For the third consecutive year, we found that companies are working with more vendors now than they did the previous year. In 2025, the average company in our survey works with 286 vendors—up by 21% versus last year.

That increased demand comes with increased risk. Of the companies we surveyed, 70% have experienced a data breach in the last three years, with 77% of those breaches originating with a third party. And breaches have never been more expensive: according to IBM’s 2024 “Cost of a Data Breach” report, such incidents cost a staggering $4.88M on average—a total that can be magnified by things like increased regulatory scrutiny, dings to the brand, and an erosion of consumer trust.

It may seem like a numbers problem: more vendors = more risk. The size of your vendor inventory plays a role, but complexity is also a huge factor. The TPRM process has become lengthier (the average company in our survey spends 37.4 hours every week assessing vendors, an increase of 14 hours a week over last year) and more bespoke in an attempt to better address vendor risk factors.

Paradoxically, this may hinder risk outcomes: more and more vendors find the assessment process too arduous, leading more and more buyers to cut corners on TPRM. The inefficient allocation of resources is also an issue, as 94% of companies say they would assess more vendors if they had the time and resources (we’ll talk more about this in the next section).

The upshot of all this is that TPRM teams are falling behind both the demand from the business and the realities of vendor risk.

2. The growing “value gap”: ROI of TPRM is under pressure.

The second major trend that emerges from this year’s impact report has to do with a widening gap between the costs of TPRM (in dollars, but also in time, overhead, and opportunity lost) and the business value of TPRM outcomes. This “value gap” means that companies are spending more time, more money, and more resources on TPRM, but still not meeting their own risk standards or reducing security events.

Here’s a few numbers that tell the story:

TPRM teams added an average of 3 full-time employees over the last year, at an average cost of $109K per FTE; that’s an investment of roughly $320K in headcount.
80% of companies plan on hiring again this year—but the cost has risen to $116K per FTE in 2025.
Yet 94% of companies aren’t assessing all the vendors they’d like because they don’t have the resources; 97% would do more in-depth assessments if they could.

As we mentioned earlier, in spite of all this investment, companies are spending more time on the assessment process than they were last year—not less. They are spending more money on headcount, but accepting more risk and experiencing more third-party related breaches.

But their vendors aren’t faring much better. The average vendor in 2025 responds to 37.3 assessment requests each month, up from 29.5 per month last year. The total hours spent on assessment response is 179 each month—that’s one full-time employee workload, and then some. And 84% of assessment responses require additional follow-up, extending the timeline.

In short, both sides of the TPRM process are losing the ROI battle.

3. The future of TPRM is AI-first

Luckily, the last major trend from the 2025 Impact Report offers some hope of relief for overburdened TPRM teams: survey respondents agree overwhelmingly that AI is the single biggest factor that will shape the future of the industry.

It’s emerging as a vital solution to the problems of scale and complexity that vex modern organizations because AI makes it possible to automate steps in the assessment process and eliminate the administrative overhead that slows down the process.

There’s work to do on the AI front—only 4% of companies report being AI-first in their TPRM process, meaning that AI is not fully integrated with their standard assessment workflows. But there are signs that AI adoption is accelerating:

57% of companies are currently using AI in some capacity, while another 40% are currently testing it or plan to do so in the next 12 months.
94% of companies report they would be willing to use AI to summarize long documents like SOC 2 audit reports.
And on the vendor side, 69% believe AI will have a significant impact on the assessment response process this year.

AI is currently being used to identify control gaps and required evidence in security documentation; summarize audit reports or standard questionnaires; and automatically answer some security queries. And it’s happening in a systematized way: 90% of companies now have an established policy for AI use, while 85% have a dedicated AI governance team in place.

This signals a clear trend—AI is no longer a future aspiration but an urgent competitive differentiator.

Is your TPRM team ready for 2025 and beyond?

If you’re like the companies we surveyed this year, you’re facing some difficult challenges in your TPRM process: increased demand, higher risks, and costly resources that still aren’t helping you meet your security, compliance, or growth goals.

But knowing is half the battle. The full 2025 TPRM Impact Report is full of stats and analysis on the three trends we just discussed, as well as many others to help you benchmark the current state of your program and plan for the next step forward. You’ll also find helpful links to additional resources (and you can even schedule some time with the Whistic team, should the mood strike you). It’s like having an intimate conversation with 500 of your peers, all at the same time.

Download your free copy of the Impact Report today.