Galink Assessment 2026 Edition
Feb 8, 2026
Our managed vendor assessment service has a clear ambition: to move away from purely declarative vendor evaluations and to provide a realistic and operational view of the cyber maturity of third parties.
Since then, hundreds of vendors have completed the Galink questionnaire (Galink Assessments). We have received feedback from the assessed vendors. Most importantly, the context has evolved significantly, particularly with the massive adoption of AI.
Today, we are publishing a new version of the Galink Assessment 2026
This is not a complete overhaul. It is a natural evolution guided by real-world input.
What does not change: a maturity-centered approach
The philosophy of the Galink Assessment remains the same.
• Evaluate the actual cyber maturity, not just theoretical compliance
• Ask questions that are understandable and actionable for vendors
• Align with major frameworks and regulations (ISO 27001, NIST, DORA, NIS2…) without turning the assessment into an audit
• Produce a valuable result, both for the client company and the assessed vendor
The goal remains simple: to better understand supplier risk and help third parties progress over time.
What we have improved: more clarity, less friction
What is changing in 2026:
• Some questions have been clarified to remove ambiguities
• Others have been simplified to reduce unnecessary burden
• A few formulations have been adjusted to reflect actually observable practices, rather than idealized controls
In summary: the same level of rigor, but a better signal and less noise.
These improvements also enable:
• to reduce back-and-forth between clients and vendors,
• o improve completion rates,
• and to make the assessment smoother, without losing depth.
The main novelty: a section dedicated to AI security
Why? Because AI is no longer marginal.
Today, suppliers:
• are using AI tools internally (code assistants, copilots, automation, analytics),
• are integrating AI components directly into the products and services they deliver,
• are dependent on third-party models and platforms that they do not always fully control.
Yet, in the majority of vendor questionnaires, AI is:
• either absent,
• or only superficially addressed, with no real insight into the risks.
We believe this is no longer sufficient.
What the AI Security section covers
The AI Security section of the Galink Assessment aims to evaluate a vendor's maturity according to three complementary axes:
Internal use of AI
How AI tools are used by teams, and what safeguards exist to prevent data leaks or uncontrolled uses.AI integrated into products or services
When AI is part of the delivered offering:
• how risks are assessed,
• how data is processed,
• how models and outputs are governed.Governance and accountability
Policies, roles, processes, and evaluations surrounding AI, in relation to current and upcoming regulatory requirements.
The goal is not to hinder the adoption of AI.
On the contrary, it is to distinguish between managed and responsible use and uncontrolled exposure.
Why it’s critical now
For CISOs and risk & compliance teams, AI has become a significant vendor risk factor:
• data privacy,
• dependence on opaque models,
• shadow AI,
• dilution of responsibilities.
For suppliers, maturity in AI is gradually becoming a signal of trust.
With this new section, the Galink Assessment allows:
• client companies to gain better visibility on an emerging risk,
• suppliers to demonstrate their seriousness, beyond pure innovation.
A questionnaire that evolves with the ecosystem
Vendor risk management is not static. Questionnaires should not be either.
This new version of the Galink Assessment reflects:
• real-world feedback,
• the operational needs of security teams,
• and the fact that AI is now fully part of the risk perimeter.
And this is just a step.