Agentic AI Vendor Monitoring: Continuous TPRM

Third-party risk management runs on a calendar that has stopped working. Vendor estates grow into the hundreds or thousands, signals of risk change daily, and the annual questionnaire cycle leaves most of the estate running on stale data at any given moment. Agentic AI, software that runs multi-step workflows autonomously, monitors vendor risk signals continuously, scores changes in real time, and escalates to a human reviewer when material risk shifts occur. This article documents which signals the system monitors, what stays a human decision, and how continuous monitoring discharges DORA Article 28 and NIS2 supply-chain obligations.

The traditional TPRM cycle runs on annual questionnaires. A vendor completes an assessment, usually a SIG (Standardised Information Gathering questionnaire) or CAIQ (Consensus Assessments Initiative Questionnaire, the Cloud Security Alliance's standard assessment tool); an analyst reviews it, produces a risk score, and files it. The next review is scheduled for twelve months later. Between those two points, the vendor could experience a significant breach, lose a key certification, suffer financial deterioration, or quietly change a security practice it previously attested to.

For organisations with a small vendor estate, this is manageable. For those managing hundreds of critical suppliers, as any large financial institution does, the annual cycle leaves most of the estate running on stale data at any given moment.

Regulatory pressure is tightening this. DORA (the EU Digital Operational Resilience Act, EU Regulation 2022/2554), which came into force on 17 January 2025, Article 28 requires firms to maintain a register of all ICT third-party service providers and to conduct risk assessments proportionate to the criticality of the service provided. DORA Article 30 sets contractual requirements for ICT services, including provisions on monitoring, audit rights, and access to information relevant to ICT risk. NIS2 (the EU Network and Information Security Directive 2), which member states were required to transpose by October 2024, Article 21 includes supply chain security as an explicit obligation for essential and important entities. 

A continuous vendor monitoring system ingests signals from multiple source categories, building on the wider pattern of AI applied across GRC. The richness of monitoring is directly proportional to which signal types the system is connected to.

Questionnaire and Self-Assessment Responses

When a vendor updates a periodic self-assessment or completes a triggered re-assessment, the agent processes the new responses against the prior submission. Material changes, such as a vendor previously confirming MFA (Multi-Factor Authentication) enforcement across all privileged accounts now indicating exceptions, or a change in data residency, are flagged immediately rather than waiting for an analyst to spot them during the next scheduled review.

Breach and Incident Alerts

The agent monitors structured threat intelligence feeds and public breach disclosure sources. When a vendor is named in a reported breach, ransomware incident, or regulatory enforcement action, the agent logs the event, cross-references against the vendor risk register, re-scores the vendor's risk profile to reflect the new information, and notifies the assigned risk owner. For a critical ICT third-party provider under DORA Article 28, this triggers an immediate re-assessment workflow rather than a notification on its own.

Certification and Regulatory Status

Vendors frequently attest to holding specific certifications: ISO 27001:2022 certification, SOC 2 (Service Organisation Control 2) Type II reports, or Payment Card Industry Data Security Standard (PCI DSS) compliance. The agent monitors public certification databases and vendor-supplied documentation for expiry dates and lapses. A certification that expires without renewal is flagged as a risk change. Where the certification underpins a contractual obligation, the agent routes the flag to the vendor owner for action.

Financial Health Indicators

For critical suppliers, financial deterioration is a material risk. The agent can monitor publicly available financial signals: credit rating changes, company filings, and significant adverse news coverage. A vendor entering administration or facing significant litigation that could affect service continuity is flagged for immediate review.

Contractual Trigger Events

Contract terms often include clauses that require vendor notification of specific events: sub-processor changes, changes to data handling practices, and significant personnel changes in key roles. The agent tracks these obligations and flags where a vendor has missed a contractually required notification within the specified period.

The table below maps each action in a continuous monitoring workflow against whether the system handles it autonomously or whether a human accepts, decides, or signs off. The agent classifies and escalates; a human accepts or rejects.

DORA Article 28: ICT Third-Party Risk Management

DORA Article 28 requires in-scope financial entities to implement a documented ICT third-party risk management policy. This includes maintaining an up-to-date register of all ICT third-party service providers, conducting pre-engagement risk assessments, and implementing ongoing monitoring of providers throughout the contract lifecycle. The article specifies that monitoring is proportionate to the criticality of the service, which means higher-frequency, more intensive monitoring for critical providers. SureCloud's DORA compliance framework sets out the register, ongoing monitoring, and contractual provisions in one place.

Agentic continuous monitoring directly operationalises the ongoing monitoring obligation. The register is maintained dynamically as vendors are added and removed. Risk assessments are updated when signals indicate a change in the vendor's risk profile rather than on a fixed annual cycle. Critical providers receive enhanced monitoring coverage automatically based on their classification in the register.

NIS2 Article 21: Security Measures for Essential and Important Entities

NIS2 Article 21(2)(d) specifically includes supply chain security among the minimum security measures that essential and important entities must implement. Entities must assess the security practices of their direct suppliers and, where relevant, their suppliers' supply chains. A continuous monitoring programme that tracks vendor security posture, certification status, and incident history provides the documented, ongoing assessment that this obligation requires.

Agentic vendor monitoring is only as good as the infrastructure supporting it. Three conditions need to be in place before deployment delivers value.

A clean, complete vendor register. The agent monitors what it knows about. Organisations frequently have shadow vendor relationships, services procured by business units without formal TPRM engagement, that will be invisible to the system. A vendor discovery exercise should precede deployment.

Vendor classification by criticality. DORA Article 28 and sound risk practice both require that monitoring intensity is proportionate to criticality. The agent needs a classification scheme, such as critical, important, standard, to apply appropriate monitoring frequency and escalation thresholds. This classification must be maintained as vendor relationships evolve.

Defined risk thresholds and escalation rules. The agent triggers workflows when a risk score crosses a defined threshold. Those thresholds need to be set deliberately. A threshold set too low generates alert fatigue; set too high, it misses material changes.