While 60% of CISOs reported an increase in third-party security incidents, only 15% said they have full visibility into those risks, according to a Jan. 14 report from Panorays.“Our findings show that third-party security vulnerabilities aren’t going away — in fact, they’re becoming more prevalent due to a dangerous lack of visibility and the rampant adoption of unmanaged AI tools,” said Matan Or-El, founder and CEO of Panorays. “Meanwhile, it’s especially alarming that only 15% of CISOs say they have the ability to map out their entire supply chains.”Other important findings from the report based on input from 200 CISOs include:Bruce Jenkins, chief information security officer at Black Duck, said the visibility gap is the story. If 60% of CISOs are seeing more third‑party incidents, while only 15% have full line‑of‑sight into third‑, fourth‑, and deeper‑tier relationships, Jenkins said it means we are still managing supply chain risk with imperfect risk maps.“The mandate for 2026 is continuous, evidence‑based oversight beyond direct vendors so that blind spots in the nth‑party ecosystem do not become tomorrow’s headlines,” said Jenkins. “From our vantage point in software security, one of my team’s responsibilities is to turn “visibility” into verifiable facts. That means replacing static questionnaires with living signals such as SBOMs we can trust, binary analysis when source is unavailable, and ASPM‑style continuous monitoring — so we are able to identify and remediate third‑party risks before they become security incidents.
Related reading:
Amir Khayat, co-founder and CEO of Vorlon, said the Panorays numbers match what he sees in SaaS environments. CISOs can count their vendors, but Khayat said they can’t reliably track the access paths vendors use day-to-day.“Most teams don’t have a dependable inventory of OAuth grants, service accounts, and integrations across their SaaS stack,” said Khayat. “That makes incident scoping slow and revocation messy. When a third party gets abused, the first hours matter.”Khayat said security teams need to answer three questions fast: which integration was used, what it could access, and what data moved. If the logs are fragmented across apps or access was granted through long-lived tokens, Khayat said teams lose time and take broader shutdown actions than they should.
- Preparedness is dangerously low: While 77% of CISOs see third-party risk as a major threat, Panorays found that only 21% have tested crisis response plans in place. This suggests that organizations are increasingly susceptible to prolonged outages, exposure of sensitive systems and financial losses in the event of a security breach, as well as compliance violation penalties.
- Most organizations are blind to vendors: Although 60% report rising third-party breaches, just 41% monitor risk beyond direct suppliers. CISOs face massive observability gaps, as they’re only watching the front door.
- Shadow AI creates new attack paths: Despite rapid AI adoption, only 22% of CISOs have formal vetting processes, leaving unmanaged third-party AI tools embedded in core environments. Teams are adopting black-box AI tools faster than security teams can keep up, with 60% of respondents identifying shadow AI as uniquely risky.
