Matan Or-El is the CEO and co-founder of Panorays, an AI-enhanced platform that helps companies to identify and manage cybersecurity vulnerabilities caused by suppliers and partners. A serial entrepreneur and an expert in third-party security, Or-El has served at the helm of Panorays since 2018.
Panorays recently released the 2026 edition of its annual CISO Survey for Third-Party Cyber Risk Management Priorities, revealing some alarming gaps in security executives’ ability to map out and manage their vulnerabilities. As Or-El explains here, these visibility gaps are all the more troublesome given the rapid adoption of AI tools in the workplace, which represent new types of risk.
Is It True That Supply Chain Cyber Risk Is Only Applicable To Software Development Teams?
Not at all. That may have been the narrative in the past, but today it has shifted to become fundamentally a business continuity issue.
Our Panorays CISO Survey for 2026 found that 60% of organisations experienced an increase in third-party incidents over the past year. What keeps CISOs and executives up at night isn’t only whether the business is well protected from a security perspective, but it’s whether the business can keep operating when a critical vendor fails. When a cloud provider suffers an outage or a breach, a logistics partner is compromised, or a payroll processor is unavailable, operational paralysis spreads quickly.
This shows that the issue is no longer just a technical problem, but rather an existential one.
This is why we talk about operational resilience rather than just cybersecurity. The question isn’t simply “Is this software secure?” It’s “Can this dependency withstand disruption, and can my business continue to function?”
Regulatory trends, such as DORA, reinforce this perspective by mandating that organisations map dependencies and demonstrate operational continuity. In 2026, supply chain cyber risk is a boardroom-level concern because of its overall impact on revenue, operations, and reputation, not just IT systems.
Why Do You Think So Many Security Teams Lack Visibility Into Their Vulnerabilities?
The lack of visibility is less about technical sprawl and more about the evolving nature of the ecosystem and the limitations of traditional tools. Our survey found that 85% of organisations do not have full visibility into their third, fourth, or Nth-party dependencies. It’s not simply because teams don’t care, but rather because the traditional mechanisms for discovery risk are no longer effective.
Shadow IT has always been a challenge, but in 2026, it has evolved into Shadow AI. Departments across the organisation are adopting AI tools independently, in ways that often bypass IT and security. These tools may have access to sensitive data outside corporate controls.
At the same time, legacy GRC platforms and spreadsheets are ineffective for mapping continuously evolving supply chains. They provide static snapshots when digital ecosystems change hourly.
And then there’s the human element. When an organisation turns on the lights and discovers thousands of previously unknown Nth-party vendors, it suddenly inherits accountability for that risk. Most teams are already stretched thin, which creates a natural tension of focusing on what is visible and hoping for the best, or investing in automated tools to make the unseen manageable.
Panorays’ approach is to combine AI-driven monitoring with business context, so visibility is actionable rather than overwhelming. This allows teams to prioritise the risks that truly matter to the business, not just to the IT department.
Why Is It Necessary To Have A Response Plan That’s Specific To Nth-Party Breaches?
Think of your organisation as a house in a neighbourhood. Your direct vendors are your immediate neighbours. The extended supply chain (fourth parties, fifth parties, and beyond) is the neighbourhood. A traditional incident response plan is like fireproofing your own house and checking whether your neighbours have smoke detectors. That protects you from immediate, localised risks.
But 44% of incidents now originate from Nth-party vendors. If a house three doors down catches fire, and the wind is blowing, the flames don’t stop at the property line. This is what we call cascading failure. When a major cloud provider experiences a breach or outage, dozens of vendors and customers are affected all at the same time.
A standard incident response plan can handle isolated events. It isn’t designed for the whole system to collapse. An Nth-party response plan requires organisations to map critical parts in the supply chain, understand which vendors share dependencies, and develop alternative continuity options. Without this, you are essentially waiting for the neighbourhood to burn and then scrambling to figure out who is affected.
How Is It Even Possible To Gain Visibility Into Partner Risk Beyond The Third Or Fourth Party?
It’s simple, static questionnaires do not work. They are snapshots in time of a single point of view that can quickly become obsolete. By the time a questionnaire is submitted, the ecosystem may have already shifted.
The solution is continuous, always-on monitoring. This doesn’t require vendors to disclose every partner or create additional risk by sharing exhaustive lists. Instead, organisations can observe dependencies automatically. By doing this, organisations create a dynamic, real-time understanding of the extended supply chain that continuously identifies risk as it emerges rather than reacting afterwards
Shifting the focus from compliance checks to the risks that genuinely affect operations, organisations can move toward proactive risk management. This approach allows for gaining deep visibility into the supply chain without putting an excessive burden on teams.
Why Do AI Apps Require A Different Vetting Process And Different Governance Practices Compared To Non-AI Apps?
AI fundamentally changes the risk calculation because it operates as a dynamic learning system rather than a static tool. When a company feeds proprietary data into an AI model, that data may be incorporated into the model’s training set or otherwise leave the organisation’s control.
Then there is the issue of output reliability. AI models generate answers probabilistically. When used to automate assessments, AI can produce what we call a “Confident Lie”. This is an answer that appears correct but is factually inaccurate. For example, an AI might indicate a vendor complies with a standard such as ISO 27001 based on probability rather than verification, leading to false assurance.
Panorays addresses this by requiring AI outputs to be reference-backed, drawing from multiple sources or documentation to substantiate each answer. By combining insights from automated questionnaire completion, dynamic mapping of vendor relationships, and prioritised cyber alerts, Panorays reduces false confidence and blind spots. Outputs become traceable, defensible, and grounded in reality, minimising rework and ensuring risk decisions are actionable.
Governance for AI must therefore be human-supervised, continuously validated, and evidence-driven. Organisations need to understand where data flows, how models are trained, how outputs are used, and who is accountable for errors.
The goal is not to reject AI, but to enable safe, controlled, and verifiable use. With the right tools and governance, AI can accelerate third-party risk management (TPRM) without introducing new exposure, turning automation into a strategic advantage rather than a liability.
What Are Some Examples Of Security Gaps That Companies Might Have Even If They’re Fully Compliant With All The Regulatory Frameworks That Apply To Them?
Compliance does not equal security. Regulatory frameworks such as DORA and NIS2 rules establish minimum requirements, but significant gaps remain in operations, culture and oversight. Organisations can be fully compliant and still be exposed to emerging risks.
Gaps often emerge from human behaviour, where employees may bypass controls, adopt unvetted tools, or unknowingly share sensitive data with Nth-party vendors. Legacy systems, while compliant, may be weak in the face of operational stress. The complex interdependencies of the supply chain can introduce vulnerabilities outside the scope of any audit. Finally, the adoption of AI without governance introduces risks that traditional frameworks do not address.
At the end of the day, true security goes beyond mere compliance, which only offers a point-in-time assurance and serves as the minimum standard. Effective security demands continuous operational awareness and ensures resilience against all threats, both familiar and unexpected. To genuinely bridge the gap between compliance and true protection, organisations must embed security into their culture and operational processes.
