Skip to content

Third Party Governance

The Third-Party Accountability Gap

January 1, 20265 min read

Vendor onboarding gets disproportionate attention: a security questionnaire, a data processing agreement, a risk score. It is the most visible part of third-party governance, and often the least consequential, since a vendor's risk profile at onboarding is rarely its risk profile eighteen months later.

The gap opens after signature. Ownership of the ongoing relationship is often unclear: procurement owns the contract, security owns the initial assessment, the business unit owns actual usage, and no one owns noticing drift. A subprocessor changes, a data flow expands, a control quietly lapses; none of it triggers review unless someone is assigned to look for it.

Closing the gap does not require a heavier onboarding process. It requires monitoring proportional to vendor criticality, and a named owner accountable for more than the initial paperwork.