The first day of the 2025 Shared Assessments Summit launched with the energy and vision befitting its milestone 20th anniversary. Themed “To Boldly Go,” this year’s Summit challenges risk leaders to break from tradition and take proactive steps into the future of third-party risk management (TPRM)—from cloud transformation and AI to real-time monitoring and evolving regulatory complexity.

With engaging keynotes, in-depth panel discussions, and hands-on practitioner tracks, Day 1 offered risk professionals a powerful combination of strategy, innovation, and practical tools. Here’s what stood out.

Cloud Risks and the Shared Responsibility Mindset

The day’s early panels highlighted the evolving risk realities of cloud-first ecosystems. As organizations migrate infrastructure and workloads to the cloud, many assume that security is built-in. But panelists urged attendees to rethink that assumption: cloud security is a shared responsibility, and too many breaches still result from misconfigurations and poor hygiene.

The session explored how organizations must proactively monitor their use of the cloud, not just the providers themselves. AI also took center stage, both as a defense tool and a growing threat, forcing risk leaders to plan for adversaries using the same tools they’re adopting for protection.

Navigating the Global Regulatory Frontier

A session on post-DORA and NIS2 compliance brought clarity to the fast-changing global regulatory landscape. With new frameworks emerging in Europe, evolving expectations in the U.S., and fresh AI governance efforts worldwide, organizations are being challenged to harmonize their risk programs across fragmented jurisdictions.

Rather than default to a “strictest standard wins” approach, panelists advocated for flexible, principles-based frameworks tailored to business impact. The message was clear: compliance must be integrated into operational resilience—and done in a way that supports the business, not slows it down.

Automation: Why Wait?

In the spirit of the Summit’s theme, another session encouraged attendees to boldly automate. TPRM teams today are expected to do more with fewer resources—and automation, paired with AI, is stepping up to meet that challenge.

From scanning SOC reports to flagging high-risk vendors, automation is already being used to compress assessment timelines and expand program reach. But adoption depends on trust: AI must be explainable, accurate, and auditable. The takeaway? Automation isn’t a future state—it’s the current baseline for scalable third-party risk programs.

Future-Proofing the Most Critical Vendors

A cornerstone panel focused on future-proofing critical third-party relationships—a timely topic as geopolitical instability, data localization rules, and service concentration risks grow.

Panelists explored how to define vendor criticality, embed controls during contracting, and apply continuous monitoring throughout the relationship lifecycle. They stressed that oversight doesn’t end at onboarding. It’s a continuous, collaborative effort—and must include real plans for vendor failure, termination, and data handoffs.

Practitioner Track Highlights: Lessons from the Front Lines

The afternoon offered specialized tracks for practitioners looking to go deep on execution. Here are some highlights:

Building a Continuous Monitoring Ecosystem

The panel on Building a Continuous Monitoring Ecosystem emphasized the urgent need for third-party risk management (TPRM) programs to evolve from periodic assessments to real-time, continuous oversight. Panelists shared that while technology is crucial, true impact comes from aligning monitoring efforts with organizational priorities like operational continuity and regulatory exposure. Success requires prioritizing high-risk vendors, integrating diverse data sources, and fostering collaboration across teams. The session offered tactical advice, including starting small, using automation, and creating clear escalation protocols. Ultimately, continuous monitoring isn’t just a tool—it’s a mindset that enables proactive, scalable, and business-aligned risk management.

Managing Non-Traditional Vendors

The panel on managing risk for non-traditional vendors explored how third-party risk management (TPRM) must evolve to address relationships that fall outside traditional IT or data-driven categories. These vendors—such as facilities providers, legal advisors, and sub-advisors—may not handle sensitive data but still pose operational, reputational, or compliance risks. Panelists emphasized the importance of broadening the definition of a third party and tailoring oversight based on the nature and impact of each vendor’s role. Strategies included using contextual assessments, updating classification frameworks, and fostering cross-functional collaboration. Ultimately, the session highlighted the need for right-sized, flexible, and inclusive TPRM strategies that balance efficiency with effective risk control.

Engineering Smarter Vendor Contracts

The panel on engineering vendor contracts for the future emphasized that third-party agreements must evolve from static legal documents into dynamic tools for risk management, resilience, and adaptability. Contracts should proactively address modern threats such as AI risks, cybersecurity, and shifting regulations by embedding flexible, scalable clauses and clearly defining responsibilities—especially in shared service models like cloud environments. Panelists advocated for automation in contract management to ensure consistency and uncover risk-related gaps, while stressing that governance and oversight remain crucial. Ultimately, future-proofing starts with the first draft: contracts must be designed to adapt, enforce accountability, and support strategic third-party risk management from day one.

Key Day 1 Themes:

• Adaptability is everything. Risk programs must be built to evolve—across tools, policies, and partnerships.
• AI is here. Whether enabling faster risk decisions or empowering threat actors, it’s no longer optional to understand and govern it.
• Risk is shared. From cloud security to vendor oversight, accountability must be clearly defined—and contractually enforced.
• Continuous means continuous. Annual reviews aren’t enough. Monitoring needs to be real-time, relevant, and scalable.
• The TPRM perimeter is expanding. Risk leaders are now responsible for a broader universe of vendors, services, and expectations.

Looking Ahead to Day 2

Day 2 of the Shared Assessments Summit continues the momentum with a compelling keynote on managing geopolitical risk, followed by a forward-looking panel on how AI and cutting edge technologies are reshaping risk management. Breakout sessions will offer practical strategies on streamlining assessments, embracing exception-based TPRM, and reducing risk across the vendor lifecycle. Attendees can also visit the Risk Launchpad for expert guidance on real-world challenges. The afternoon wraps with a celebration of Shared Assessments’ 20-year legacy and a panel on overcoming fragmentation to achieve greater standardization in third-party risk.