Procurement Mandate

Gartner warns AI-driven questionnaires may undermine third-party cyber risk accuracy

Thursday, 23 April 2026 1:10PM UTC

As generative AI streamlines third-party questionnaires, Gartner cautions that increased automation could deepen inaccuracies and obscure true risks, urging a shift to real-time monitoring for effective cyber resilience.

Generative AI is beginning to change the mechanics of third-party cyber risk management, but the shift is not automatically an improvement. What looks like a faster way to draft, send and assess vendor questionnaires can also weaken the quality of the answers organisations rely on to judge risk.

That tension sits at the centre of Gartner's latest thinking on third-party cyber risk management. In its Predicts 2026 research, the firm says GenAI will become deeply embedded in questionnaire workflows, with both vendors and customers using it to complete and review assessments. By 2028, Gartner expects the majority of organisations and suppliers to be using GenAI on both sides of the process. The promise is obvious: quicker onboarding, lighter admin and less pressure on already stretched security teams.

But Gartner's warning is equally clear. When AI-written responses are passed into AI-based review tools, inaccuracies can multiply rather than disappear. The result is not just the occasional wrong answer, but a gradual deterioration in the usefulness of the output itself. In practical terms, more automation can produce more noise, while obscuring the difference between a polished response and an accurate one.

That matters because questionnaires were never a strong foundation for third-party assurance in the first place. They are snapshots, not live assessments. They capture what a supplier says about its controls at a particular moment, often in language shaped to satisfy policy or win business rather than expose genuine weaknesses. In fast-moving supply chains, where relationships, systems and dependencies change constantly, that static model has always left a gap between declared and actual risk.

GenAI risks widening that gap. If organisations can generate and process questionnaires at scale with far less human involvement, they may end up multiplying a weak control rather than replacing it with a better one. The appearance of efficiency can be misleading if the underlying method still depends on self-reported information that may already be out of date by the time it is reviewed.

Gartner argues that this is why chief information security officers will increasingly treat questionnaires as a compliance exercise rather than a serious security control. The real focus, the firm says, will move towards in-flight visibility: monitoring third-party relationships as they operate, spotting changes earlier and responding before issues become incidents.

That view fits a broader pattern in Gartner's 2026 cybersecurity agenda. In a separate briefing this year, the company highlighted agentic AI, AI-driven security operations and the need for stronger governance as key themes shaping the sector. It has also predicted that AI applications will drive a large share of incident response work by 2028, reinforcing the idea that security teams will use AI most effectively when it supports detection, prioritisation and escalation rather than simple administrative throughput.

The same logic is appearing in Gartner's guidance on third-party cyber resilience, where the emphasis is on direct monitoring, targeted controls and contingency planning. The message is that organisations need to understand not just what a vendor claims on paper, but how that supplier behaves in practice and how quickly the customer can react when conditions change.

None of this means GenAI has no role in third-party risk programmes. Used carefully, it can help teams handle repetitive tasks, surface patterns across large vendor populations and direct attention towards the most material issues. It can also reduce time spent on low-value work, freeing specialists to focus on judgement, investigation and response.

The danger is in using AI to accelerate a process that was already limited. If organisations simply automate the questionnaire model, they may move faster without becoming safer. The stronger approach, Gartner suggests, is to combine AI with continuous monitoring and lifecycle-based risk management, so that technology supports resilience instead of just increasing volume.

In that sense, the real test for third-party cyber risk management in the AI era is not how many questionnaires can be completed, but how well an organisation can see risk as it emerges.

Source: Noah Wire Services

More on this

https://blog.riskrecon.com/genai-and-third-party - Please view link - unable to able to access data
https://www.gartner.com/en/newsroom/press-releases/2026-02-05-gartner-identifies-the-top-cybersecurity-trends-for-2026 - Gartner's report highlights six key cybersecurity trends for 2026, including the rise of agentic AI, global regulatory volatility, post-quantum computing, AI-driven SOC solutions, and the need for AI governance. It emphasizes the importance of cybersecurity leaders adapting to these trends to enhance resilience and resource allocation.
https://www.gartner.com/en/newsroom/press-releases/2026-03-17-gartner-predicts-ai-applications-will-drive-50-percent-of-cybersecurity-incident-response-efforts-by-2028 - Gartner predicts that by 2028, AI applications will drive 50% of cybersecurity incident response efforts, highlighting the rapid evolution of AI in security operations. The report advises security leaders to integrate AI into their strategies to effectively manage emerging threats.
https://www.gartner.com/en/conferences/na/security-risk-management-us/sessions/detail/4513651-Plan-for-the-Worst-Integrate-Third-Party-Cyber-Risk-Management-Into-Your-Cyber-Resilience-Strategy - This session at the Gartner Security & Risk Management Summit discusses integrating third-party cyber risk management into cyber resilience strategies. It emphasizes the need for organizations to strengthen their cyber resilience posture through targeted controls, direct monitoring, and contingency planning.
https://www.gartner.com/en/conferences/apac/security-risk-management-australia/featured-topics/third-party-risk-management - Gartner's featured topic on third-party cybersecurity risk management addresses the challenges organizations face as they expand their digital footprint. It provides insights into assessing, monitoring, and mitigating third-party cyber risks to safeguard digital ecosystems.
https://www.techradar.com/pro/governing-the-hidden-risks-of-generative-ai-in-the-enterprise - This article explores the growing reliance on generative AI in business operations and the urgent need for stronger governance to mitigate associated risks. It discusses concerns like security, data leakage, and reputational damage, emphasizing the importance of human oversight and continuous model evaluation.
https://www.itpro.com/security/supply-chain-and-ai-security-in-the-spotlight-for-cyber-leaders-in-2026 - The article highlights the growing cybersecurity challenges driven by AI and supply chain vulnerabilities. It discusses the surge in AI-related security threats and the need for organizations to shift from static compliance to dynamic, ecosystem-focused risk management to bolster resilience.

Noah Fact Check Pro

The draft above was created using the information available at the time the story first emerged. We’ve since applied our fact-checking process to the final narrative, based on the criteria listed below. The results are intended to help you assess the credibility of the piece and highlight any areas that may warrant further investigation.

Freshness check

Score: 7

Notes: The article was published on April 22, 2026, which is recent. However, it references Gartner's 'Predicts 2026' research, indicating that the core content may be based on earlier reports. The RiskRecon blog is a corporate blog, which may lead to concerns about content originality and potential biases. Additionally, the article discusses the integration of generative AI into third-party risk management, a topic that has been covered in various forms over the past year, raising questions about the novelty of the insights presented.

Quotes check

Score: 6

Notes: The article includes direct quotes from Gartner analysts, such as Aaron Lord and Christopher Mixter. While these quotes are attributed, they cannot be independently verified without access to the original Gartner reports, which are behind a paywall. This lack of verifiability raises concerns about the authenticity and accuracy of the quotes.

Source reliability

Score: 5

Notes: The primary source is RiskRecon's corporate blog, which may have inherent biases and is not an independent news outlet. The article references Gartner's 'Predicts 2026' research, but access to the full reports is restricted due to paywalls, limiting the ability to verify the information. This reliance on a single, potentially biased source diminishes the overall reliability of the content.

Plausibility check

Score: 7

Notes: The article's claims about the integration of generative AI into third-party risk management align with current industry trends. However, the specific predictions and figures cited are based on Gartner's proprietary research, which cannot be independently verified due to paywalls. This lack of verifiability raises questions about the accuracy and credibility of the claims made.

Overall assessment

Verdict (FAIL, OPEN, PASS): FAIL

Confidence (LOW, MEDIUM, HIGH): MEDIUM

Summary: The article presents claims about the integration of generative AI into third-party risk management, citing Gartner's 'Predicts 2026' research. However, the reliance on paywalled content and unverifiable quotes from Gartner analysts raises significant concerns about the content's originality, accuracy, and independence. Given these issues, the article does not meet the necessary standards for publication.

Cybersecurity
AI
Third-party risk management