Logo Galink

Solution

Partners

Resources

About

Log in

Try for free

Galink la solution de TPRM n°1

Try

‹ Return to blog

AI, Agent... what will risk management look like in 2030?

Oct 6, 2025

Galink, Vendor Risk
Galink, Vendor Risk

Return on the Vendor Cyber Risk Summit roundtable – moderated by Mathieu de Galink, with Ayoub Fandi and Laurent Hausermann

As vendor risk management becomes a critical issue for cybersecurity and compliance departments, artificial intelligence (AI) emerges as a major transformation lever. During the Vendor Cyber Risk Summit, organized by GalinkMathieu led an engaging roundtable with two complementary experts:

  • Ayoub Fandi, founder of the GRC Engineering movement and head of GRC automation at GitLab,

  • Laurent Hausermann, serial entrepreneur and co-founder of Cygo Entrepreneur, a startup studio specializing in cybersecurity.

Together, they shared their vision of a future — already underway — where AI becomes the engine of efficiency and resilience in managing vendor risks (TPRM).

Discover the full webinar here

AI in vendor risk management: a revolution already underway

From the very first minutes, a survey among the participants revealed a surprising finding: nearly 40% of organizations have never utilized AI in their risk management processes.
Yet, the use cases are numerous — and tangible.

Ayoub illustrated how GitLab already uses AI to automate document reviews, a significant bottleneck in TPRM.

“A SOC 2 report is between 50 and 300 pages. AI allows us to automatically extract the 60 to 70 lines that really matter for our controls.”

Thanks to the automatic analysis of reports, questionnaires, and security tests, his team has been able to build genuine “vendor profiles”, combining audit results, exceptions, and unresolved vulnerabilities.
Result:  considerable time savings and the capacity to handle several hundred vendors with the same team.

For mid-sized companies, AI becomes an essential accelerator

Laurent provided a ground-level perspective: that of mid-sized companies, those with between 500 and 5,000 employees often lacking dedicated resources for cybersecurity.

“Below 1,500 people, there is often no full-time CISO. Teams are stretched across multiple missions and lack the resources to meet the demands of major clients.”

Again, AI can make a difference.
Laurent cites the example of SMEs that took weeks to manually reconcile HR and IT data to identify dormant accounts — a task that an AI agent could automate in a few hours.

“AI compensates for the lack of manpower and time. It’s the only realistic path to bring mid-sized companies to the expected level of cyber maturity.”

From report generation to autonomous action

The two experts agree:  we are just at the beginning.
Today, AI helps aggregate and summarize data; tomorrow, it will act.

“The next step is to delegate actions to AI agents,” explains Laurent.
“Like early anti-spam solutions, there’s hesitation to trust them, but tomorrow, it will be unthinkable to do without.”

Ayoub confirms this vision with concrete figures:

“In our case, an AI analyzes 700 pages in 75 seconds. Multiply that by 2,000 vendors: the productivity gain is massive.”

And tomorrow? Towards TPRM on autopilot

Although 2030 seems far away, the future of TPRM is already being written.
The experts envision a process almost entirely automated:

  • AI scans a vendor's “trust center”,

  • Analyzes its exposure perimeter and incident history,

  • Evaluates mentions of the vendor in internal tools (Slack, tickets, etc.) to detect weak signals,

  • And assigns a contextualized and dynamic risk score.

“We will no longer settle for a static questionnaire: we will have a real-time assessment based on concrete data and cross-analyses,” predicts Ayoub.

Laurent adds that advancements in small open source models (SLM) and technologies like MCP (Model Context Protocol) will soon allow these AIs to be integrated directly within internal systems, without exposure of sensitive data.

Humans will remain at the heart of the process

Despite the power of the models, there is a consensus:  humans remain indispensable.

“AI automates the collection and analysis, but the final decision must remain human. It allows us to free up time for the essentials: understanding, dialoguing, deciding,” recalls Mathieu.

In other words: AI does not replace the cyber expert, it augmentsthem.

In conclusion

AI is no longer a futuristic promise — it’s an operational tool that is already transforming vendor risk management.
Pioneers like GitLab or initiatives led by Five Entrepreneurs show the way:

  • reduction of document review time,

  • better prioritization of risks,

  • and equitable access to cybersecurity performance, even for mid-sized companies.

But to scale, this revolution will need to be supported by a work of evangelization and trust.
As Laurent perfectly sums it up:

“We were afraid to let an algorithm sort our spam. Today, we couldn't do without it. It will be the same for cybersecurity.”

5 practical tips for effectively managing vendor risk>