Post by Jason Berndt
Sr. IT Manager at Sermo
I was in SoHo this past week for Vanta ’s Trust Tour. One thing that stuck with me was the realization that a lot of risk programs are still built around the idea that change happens slowly. Quarterly reviews, annual audits and vendor approvals that assume today looks like six months from now. That assumption doesn’t hold anymore. AI features are showing up inside tools we already approved months ago or longer. Sometimes we hear about them but often we don’t. In this case, risk isn’t just about failing an audit. It’s about being blind to changes while the business keeps moving forward. A few talking points I took note of: Third‑party risk has turned into upkeep. Saying yes now doesn’t always mean yes later. Shadow AI isn’t always rogue behavior. Sometimes it’s just that tools are changing faster than reviews. Guardrails matter more than policies. If you can’t see what’s changing, the policy doesn’t help much. I walked away thinking less about how security says no, and more about how we avoid getting surprised. That’s what the job actually feels like now. How are you keeping up with AI changes in vendors you already trust, without slowing everyone down?