When speed becomes a vulnerability: Rethinking third-party risk in federal decision making

Third-party exposure remains one of the most persistent points of failure across government programs. According to SecurityScorecard, 58% of breaches involving the top 100 U.S. federal contractors originated through third-party attack vectors. This reflects a reality many already recognize: The most consequential risks no longer sit entirely inside organizational boundaries.

Federal agencies and contractors have invested heavily in protecting systems within their own control. Cyber defenses are stronger, access controls are tighter, and monitoring is more mature than it once was. Yet adversaries continue to gain an advantage because they are not always attacking the most hardened targets. Increasingly, they gain access through trusted relationships that fall outside direct oversight.

Where risk actually enters
Suppliers, partners, subcontractors and affiliates may sit outside formal security boundaries while maintaining access to sensitive systems, data and personnel. At the same time, agencies are being pushed to move faster on acquisitions and partnerships to meet mission demands while controlling costs and improving efficiency, in an environment where technology evolves quickly and adversaries move even faster. When decisions move faster than insight can keep up, speed becomes a vulnerability.

As a result, risk is no longer concentrated in areas with the strongest defenses. It shows up in the partners who support the work. Suppliers are attractive targets because many operate outside the day-to-day realities of national security work. They may not view themselves as part of the government operations, even when their access, data or personnel place them squarely within it.

The result is a gap between how risk actually emerges and how vetting is expected to catch it.

Why traditional vetting no longer holds
Most third-party vetting processes were built for a slower environment. Risk was assessed at a single point in time, usually during onboarding or contract award, and rarely revisited unless something went wrong.

That model no longer works. Companies change. Leadership shifts. Financial pressure emerges. Cyber posture evolves. A supplier that appeared low risk a few years ago may present significant exposure today.

At the same time, supplier information remains fragmented. Contracts, compliance records, cyber assessments, legal reviews and financial disclosures live in different systems owned by different teams. Each function sees only part of the picture.

In practice, teams spend weeks pulling information from systems that were never designed to work together. By the time a decision is made, leaders still do not have a clear view of the supplier or the risk they are accepting. The decision moves forward anyway, not because the risk is understood, but because the program cannot wait any longer.

How the threat is changing
What has changed is how access is gained. Artificial intelligence is making it easier to slip past trust-based checks, not just break into systems.

There have been reported cases of AI-generated job seekers entering the workforce with polished resumes, fabricated employment histories and convincing interview performances. In some instances, synthetic avatars passed multiple interview rounds, were hired into remote roles, and granted access to internal systems before anyone realized the individual was not who they claimed to be.

This matters because the same trust assumptions exist across supplier ecosystems that support government work. Contractors rely on resumes, background checks, references and video interviews to validate people who may later gain access to government systems, facilities or sensitive information. When AI can convincingly replicate identity, voice and behavior, those controls can be bypassed without triggering obvious alarms.

If a supplier unintentionally hires someone using a fabricated identity, that person does not just gain access to a private company; they also gain access to sensitive information. They may gain indirect access to government data, networks or operations through trusted connections. In that scenario, access is granted through normal processes, and the risk only becomes visible after the fact.

Third-party risk rarely resides in a single dataset or control. It emerges over time at the intersections of people, ownership, access and behavior, making it difficult to spot in any single review or checklist.

How analytics and AI support better decisions
Analytics and artificial intelligence help organizations operate at the scale the current environment demands. They enable monitoring large supplier ecosystems and surface changes that would otherwise go unnoticed.

Used effectively, these tools connect signals that are often siloed. A change in ownership, unusual credential activity, and a shift in access patterns may each appear benign on their own. Viewed together, they can indicate emerging risk that warrants attention.

The value is focus. Analytics and AI help leaders focus their judgment on what has changed and what matters now, rather than reviewing everything all the time. Analytics and AI help leaders focus attention on the decisions that matter. For example, when a routine supplier renewal needs to pause because ownership has moved overseas and access to sensitive systems has expanded in ways that quietly open the door to foreign access.

What effective third-party risk programs look like in practice
Organizations that manage third-party risk well tend to anchor their programs around a few practical habits.

• Clear awareness of relationships and change. Leaders maintain a current understanding of who they are doing business with, how those entities support the mission, and what has changed since the last review.
• Risk is viewed as ongoing, not one-time. Initial vetting still matters, but risk continues to evolve after a contract is signed. Effective programs account for change over the life of the relationship.
• Information separated from decisions. Analytics and AI help surface relevant signals, but people remain accountable for interpreting those signals and making the final calls.
• Risk is considered when decisions are made. Strong programs align risk review with acquisition and partnership decisions, not after commitments are already locked in.

When these practices are in place, leaders see consistent signs that the program is working, including:

• Decisions that move faster with more confidence
• Risk conversations that happen earlier
• A willingness to walk away from problematic partnerships
• Fewer surprises when issues emerge

Programs that struggle show the opposite pattern: slow reviews, late-arriving information, and reactive decisions made under pressure.

What’s at stake
When third-party risks are missed, the consequences extend well beyond individual programs. Adversaries gain insight into how government work is supported, where access exists, and which relationships can be leveraged over time. That insight can be used to collect sensitive intelligence, maintain access, or create leverage that threatens systems and missions when conditions change.

Leaders rarely experience this as a single, obvious failure. More often, the damage accumulates through a series of decisions that each appeared reasonable on their own. By the time the risk is fully visible, the impact is already real and difficult to reverse.

This is not about seeing everything. It is about knowing where exposure lives. Missions are lost in the seams between organizations, systems and trust, and it is in these seams that leaders decide whether to look or not.

Todd Harbour is managing member of Grist Mill Exchange and managing partner at Core4ce.

Copyright © 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.