Vendor Risk in the AI Era: Why Annual Reviews Aren't Enough with Clarence Chio

6 snips

Mar 19, 2026

Clarence Chio, Cofounder and CEO at Coverbase and author focused on AI and cybersecurity. He discusses why traditional vendor checks fall short. He explains the rise of continuous monitoring, procurement as a control point, and how AI and agents enable real-time vendor oversight. Short, urgent ideas on shifting from periodic compliance to ongoing verification.

Ask episode

AI Snips

Chapters

Books

Transcript

Episode notes

INSIGHT

Third-Party Use Has Exploded And Eroded Visibility

Third-party usage has exploded: financial firms increased vendors ~500% in 10 years, spreading data across many external systems.
This creates visibility gaps because niche SaaS, AI tools, and extensions host critical data outside company control.

INSIGHT

Static Assessments Give False Confidence

Point-in assessments like questionnaires and SOC 2s give snapshots but poorly predict breach likelihood because vendors often self-report to close deals.
SOC 2 value is eroding as audits become commoditized and faster, reducing their depth.

ANECDOTE

OpenAI–Mixpanel Breach Exposed Fourth-Party Risk

The OpenAI–Mixpanel incident showed even top-tier vendors and customers can be impacted when a vendor is breached.
Mixpanel's analytics breach exported OpenAI session data, highlighting fourth-party exposure across customers.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

In this episode of the Risk Management Show, we sit down with Clarence Chio, Cofounder & CEO at Coverbase to explore how vendor risk is evolving in the age of AI and interconnected ecosystems.

As organizations increasingly rely on third-party services, traditional approaches to risk management—like annual reviews and static assessments—are proving insufficient. Clarence shares insights on why continuous monitoring is becoming essential, how procurement is emerging as a critical control point, and how AI can help organizations stay ahead of vendor-related risks.

💡 Key Takeaways Vendor risk is continuous, not periodic: Annual reviews alone cannot keep pace with today's dynamic threat landscape.

Visibility is critical: Organizations need real-time insights into vendor behavior, not just compliance snapshots. Procurement is strategic: It plays a central role in enforcing security and risk standards. AI is a game changer: It enables earlier detection of anomalies and evolving risks across vendor ecosystems.

🚀 Key Topics Covered

1. From Internal Security to Ecosystem Risk

2. The Limits of Traditional Vendor Assessments

3. Lessons from the OpenAI–Mixpanel Incident

4. Annual Reviews vs. Continuous Verification

5. What Continuous Vendor Monitoring Looks Like in Practice

6. Procurement as the New Risk Gatekeeper

7. Misconceptions in Vendor Risk Management

8. The Role of AI in Vendor Risk Detection

🎯 Final Thoughts

Clarence emphasizes the need for a fundamental shift in how organizations think about third-party risk—from static compliance exercises to continuous, intelligence-driven monitoring. As ecosystems grow more complex, so must the strategies used to secure them.

🔗 About the Guest. Clarence Chio is the CEO and co-founder of Coverbase, a company focused on transforming procurement into a risk-aware, AI-driven advantage. He is also the author of Machine Learning & Security, a widely recognized resource at the intersection of AI and cybersecurity.

Thanks for listening! If you enjoyed this episode, be sure to subscribe and share it with your network.

🌐 Join our community for even more insights:

Online Community: https://globalriskcommunity.com/

LinkedIn Page: https://www.linkedin.com/company/globalrisk-community/

LinkedIn Group: https://www.linkedin.com/groups/3701313/

Academy platform: https://globalriskacademy.com/courses/