Episode 98

full
Published on:

3rd Jun 2026

Third Party Risk in the Age of AI. A Spotlight on Black Kite

Your vendors are adopting AI faster than you can assess them. What does that mean for your third party risk?

Welcome to Razorwire, the podcast where we share our take on the world of cybersecurity with direct, practical advice for professionals and business owners alike. I'm Jim and in this Spotlight on Technology episode, I'm joined by Jeffrey Wheatman, Senior Vice President and Cyber Risk Strategist at Black Kite. Jeffrey previously spent over a decade as an analyst VP at Gartner where he launched their third party cyber risk management coverage.

Third party risk management used to be fairly straightforward. If finance was happy and legal had done their redlining, you signed the contract and moved on. That world is gone. Organisations are now dependent on layers of vendors, suppliers and service providers, and the chain goes deeper than most security teams can see. When a logistics company can go from operational to out of business in five months after a ransomware attack, and one incident at Jaguar Land Rover can measurably affect UK GDP, the question isn't whether third party risk matters. It's whether your programme can keep up.

This episode covers how the old model of spreadsheets and questionnaires is giving way to intelligence-led continuous monitoring, why AI has made the problem exponentially harder and how Black Kite is helping organisations cut through the complexity, from mapping supply chain connectivity and scoring ransomware susceptibility to cutting a 500-question vendor questionnaire down to 30.

Three key talking points:

  • You can't protect what you can't see: Most organisations know who their biggest vendors are. Beyond that, it gets murky fast. This episode gets into why even mature organisations still struggle to see past the first or second layer of their supply chain, why figuring out which vendors actually matter is harder than it sounds and why Jeffrey always tells people to solve their third party problem before worrying about their fourth.
  • AI just made your third party programme ten times harder: Your vendors are already using AI, whether they've told you or not. The person you're speaking to may not even know, because it could be embedded two or three layers down. Meanwhile the market is flooded with AI solution claims and attackers are using it to move faster than ever. This episode covers the three ways AI is complicating third party risk and why most organisations haven't even begun to get their AI governance right.
  • From questionnaires to continuous intelligence: The old model of sending out hundreds of questions, hoping for honest answers and filing the results is finished. This episode covers how the industry is moving from periodic assessment to continuous monitoring, why real data beats self-reported questionnaires and how platforms like Black Kite are helping organisations focus on the vendors that actually pose a risk.

If your third party risk programme is still running on spreadsheets and annual reviews, this episode will make you uncomfortable. And it should.

On why most organisations don't know which vendors matter most:

“I always badly paraphrase Animal Farm by George Orwell. All your vendors are equal, but some vendors are more equal than others. And most people don't really know how to figure that out.”

Jeffrey Wheatman

Listen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listen

In this episode, we covered the following topics:

When a Vendor Goes Down, You Go Down With Them We discuss why the conversation has shifted from data protection to operational resilience.

The Nth Party Problem Most organisations can't see past the first or second layer of their supply chain. The web of interconnected vendors is far more complex than it looks – we talk about where to start if you haven't solved your third party basics yet.

Concentration Risk and Single Points of Failure Heavy reliance on a handful of major cloud providers creates risks that can't easily be mitigated. We explore what you can realistically do about it.

Three Ways AI Is Complicating Third Party Risk Discover why AI isn't just changing the threat landscape for your own organisation but fundamentally altering how you need to think about every vendor in your supply chain.

Shadow AI in Your Supply Chain Learn why shadow AI in your vendor ecosystem is a growing risk when most organisations' AI governance isn't anywhere near ready to deal with it.

The AI Vendor Bubble Find out why many AI companies are currently selling their services at a loss, and what this means for organisations that have built critical processes around vendors that might not survive when the economics catch up.

Moving Beyond Spreadsheets and Questionnaires Find out why self-reported questionnaires and periodic assessments can't keep up anymore, and what's replacing them.

How Black Kite Approaches Third Party Risk Explore what an intelligence-led approach to third party risk actually looks like in practice and why it's a fundamentally different model to what most organisations are used to.

The Ownership Problem No two organisations agree on who owns third party risk. Find out why this inconsistency creates serious governance gaps and why it matters more than ever as the scope of the problem grows.

Resources Mentioned

Black Kite

Jeffrey Wheatman on LinkedIn

Black Kite's Third Party Risk podcast

K&P Logistics / Knights of the Old (ransomware case study)

Jaguar Land Rover (supply chain breach impact)

DORA (EU banking regulation)

MITRE ATT&CK

OpenFair (cyber risk quantification)

GA3 framework (Black Kite's AI governance add-on)

Threat Tracev (Black Kite's NetFlow-based offering)

RSA Conference

Project Glasswing / Mythos (Anthropic)

OpenAI Daybreak

All rights reserved. © Razorthorn Security LTD 2025

All Episodes Previous Episode

Listen for free

Show artwork for Razorwire Cyber Security & InfoSec Insights

About the Podcast

Razorwire Cyber Security & InfoSec Insights
Real conversations helping cybersecurity professionals sharpen their insights, strategy & leadership skills.
Cybersecurity is evolving — and so should you. Razorwire brings the open conversations that give you the edge.

Welcome to the Razorwire podcast — your resource for practical advice, expert insights, and real-world conversations on cybersecurity, information security (InfoSec), risk management, governance, security leadership, human factors, and industry trends.

Our mission is to help you build a stronger cybersecurity career while supporting a dynamic, agile community of professionals committed to continuous improvement.

Each episode brings you actionable advice and real experiences from your host, James Rees — an information security specialist with over 25 years of experience — and from a range of respected guests across the cybersecurity industry. Together, we explore everything from technical strategies and compliance challenges to security culture, communication skills, and leadership development.

James Rees is the founder of Razorthorn Security, providing expert consultancy and testing services to a wide range of organisations, including many Fortune 500 companies. His practical, no-nonsense approach helps organisations manage cybersecurity risks effectively while strengthening resilience.

The Razorwire podcast is designed for cybersecurity professionals who want to stay ahead, sharpen their skills, and confidently respond to the challenges of today's evolving threat landscape. We believe collaboration is key to stronger security — and Razorwire gives you the conversations that help you achieve it.

For more information about us, or if you have questions you'd like discussed on the show, email podcast@razorthorn.com or visit www.razorthorn.com.