Building Vendor Trust in an Age of Digital Risk

In this exclusive Q&A, Ngaire Guzzetti, Technical Director at CyXcel, discusses the widening trust gap between enterprises and their vendors—and why it’s putting resilience on the line. From fragmented oversight to the rise of AI-driven threats, Guzzetti unpacks how organizations can rebuild trust, strengthen accountability, and modernize risk management in an increasingly interconnected world.

Your recent research found that a third of U.S. risk managers don’t fully trust their vendors to manage critical threats. Why is this trust gap widening, and what needs to change?

Many supply chains were built for speed and cost efficiency, not resilience. Over time, organizations outsourced more functions, from cybersecurity to AI governance, without always having the visibility to vet or oversee those partners properly. Our data shows that 33% of U.S. risk managers lack enough trust  in vendors to handle their most critical risks, and 31% don’t have a clear grasp of the threats they’re accountable for managing.

That lack of internal understanding creates a domino effect. If you don’t know where your own vulnerabilities lie, you can’t meaningfully assess a partner’s reliability. The result is a fragile ecosystem where companies are essentially outsourcing blind. Building trust starts internally, with better data, governance, and communication across business functions, before it can extend outward to third parties and the ongoing supply chain.

Given that dependence on outside partners is increasing, how can organizations strengthen confidence in their vendor networks?

It starts with transparency and accountability. Companies need to move away from one-off vendor assessments and adopt continuous, intelligence-led validation. Think of vendor oversight less as a checklist and more as a living system that evolves with your business and threat landscape.

At the same time, internal teams must understand the difference between delegating responsibility and relinquishing it. Outsourcing risk management doesn’t mean outsourcing ownership. Clear internal accountability (who monitors, who verifies, who reports) is key to ensuring that third-party relationships actually strengthen rather than weaken resilience.

This is, of course, assuming basics are in place to avoid risks such as maverick spend and shadow IT. 

Your research also shows that more than a quarter of U.S. businesses remain unprepared for AI-related risks. What’s behind that, and what’s at stake?

AI adoption has outpaced governance. We found that 27% of U.S. businesses only recently created their first AI risk strategy, and nearly a quarter still don’t have one at all. Many organizations see AI as a technology challenge when it’s really an enterprise-wide risk issue that spans privacy, ethics, intellectual property, and operational control.

Whilst AI adoption is now critical and can provide a wealth of benefits, without clear governance, companies open themselves up to issues like model manipulation, data poisoning, and deepfake-driven fraud. These aren’t hypothetical risks anymore. And because AI systems touch so many business processes, a single failure can cascade across multiple departments. The takeaway is that just like cybersecurity, AI security can’t be a siloed IT problem; it must be part of corporate risk strategy at the board level.

How are AI, cyber threats, and geopolitical instability reshaping enterprise risk today?

They’re converging in ways that are testing even mature organizations. Cybercriminals are using AI to automate and personalize attacks. Geopolitical conflict is spilling into cyberspace, targeting supply chains and critical infrastructure. Meanwhile, new regulations around incident reporting and data protection are raising the stakes for compliance failures.

This convergence means risk leaders can’t afford to manage in silos. Cybersecurity, legal, and operational teams need shared intelligence and a common language around risk.

Resilience is no longer just about having backups or insurance. It’s about having an adaptive framework that can anticipate, absorb, and recover from whatever comes next.

What practical steps can organizations take now to strengthen resilience, and how do you see digital risk management evolving over the next few years?

It starts with visibility. You can’t manage what you can’t see, so create a unified view of your digital ecosystem that includes vendors, assets, and dependencies. From there, build dynamic governance that connects cyber, legal, and operational risk functions, and regularly benchmark your controls against evolving standards like NIS2, DORA, and SEC guidance.

The next phase will be defined by accountability. Boards and regulators want proof of control, not just policies on paper. Organizations that treat resilience as a strategic function rather than a compliance exercise will outperform their peers. As visibility improves, trust will follow. When trust is created, the companies that truly understand their digital risks will be best positioned to build transparent, resilient partnerships for the future.