Third-Party Risk · TPRM · Shadow AI

Your vendors are your
attack surface.

Strac TPRM auto-discovers every vendor — and every shadow AI tool your team wired in last week — scores them with a transparent deterministic risk engine, monitors them continuously, and feeds the same assessment into SOC 2, ISO 27001, and NIST CSF.

Book a DemoSee how it works
Vendor Risk Register
deterministic engine
OpenAIPII · admin scopeCritical
Datadoglogs · read scopeHigh
Notiondocs · oauthMedium
CalendlyschedulingLow
Admin override · audit trail

Inherent impact 4 2 by aatishm@strac.io
“Pen test verified access controls are mature.”

The breach probably won't start with you.

Every SaaS tool, sub-processor, and OAuth grant is a door into your data. Most teams manage that door with a spreadsheet and an annual email blast. That is not a program — it's a hope.

~30%
of breaches involve a third party
Verizon’s 2025 DBIR found third-party involvement in breaches roughly doubled year over year.
98%
of orgs use a breached vendor
Nearly every organization has a relationship with a third party that has suffered a breach (SecurityScorecard).
1 in 5
orgs already breached via shadow AI
Unsanctioned AI use has caused a breach at ~20% of organizations, adding roughly $670K to the average breach cost (IBM).

How it works

The whole third-party lifecycle — discover, assess, monitor, retire — in one place, on evidence the platform already collects.

1

Discover

Shadow-IT and shadow-AI discovery surface every SaaS app and GenAI tool from OAuth grants, deduped against your managed register — no more unknown unknowns.

2

Assess

The deterministic engine scores each vendor from typed evidence — data sensitivity, access scope, integrations, attestations. Inherent and residual, driver by driver.

3

Monitor

Re-assess on a schedule and on change. Vendors crossing your risk threshold promote into the risk register automatically and notify the owner.

4

Offboard

Retire a vendor, revoke access, and capture proof — version-pinned so an auditor can replay exactly what was true the day you cut them off.

Defensible by design

A risk score your auditor can actually trust.

Most TPRM tools hand a vendor questionnaire to an LLM and print a color. Strac scores every vendor with a deterministic engine from typed evidence — data sensitivity, access scope, integrations, security attestations — so the band is repeatable, explainable, and the same for everyone who runs it.

  • Driver-level breakdown — every band shows the inputs that produced it
  • Inherent vs. residual risk, with impact × likelihood you can inspect
  • Admin overrides with ground truth — and the engine value preserved beside it
  • “Engine said 4, admin chose 2, here’s why” lands verbatim in the audit binder
OpenAI · Risk assessment
Data sensitivityPII + secrets4 / 4
Access scopeAdmin / write4 / 4
Integration depthOAuth + API3 / 4
Security attestationsSOC 2 Type II1 / 4
Residual risk bandCRITICAL
SOC 2 · CC9.2
ISO 27001 · A.5.19
NIST CSF · GV.SC-07
Shadow AI · discovered
via OAuth — no agent
ChatGPT (free)14 usersCritical
Perplexity3 usersHigh
Claude6 usersMedium
Gemini (Workspace)22 usersLow

⚠ ChatGPT (free) — 14 grants, drive + gmail scope, trains on prompts.
No managed-vendor match → flagged for review.

The new shadow IT

Half your team already pasted data into an AI you don't know about.

Roughly half of employees use unsanctioned AI tools, and most do it in the free tier — where prompts can train the model. Every ChatGPT, Perplexity, or Copilot login is a third-party AI vendor with a scope into your data that nobody assessed. Strac surfaces them the same way it finds shadow IT: from the OAuth grants already in your Google Workspace — no endpoint agent, no proxy.

  • Every AI app classified as an AI vendor — model provider, training behavior, data residency
  • AI-specific risk drivers: does it train on your data? what scope did it take? where does it run?
  • Deduped against your managed vendors — sanctioned Claude vs. rogue ChatGPT free, side by side
  • Feeds NIST CSF GV.SC supply-chain controls and your AI Acceptable Use Policy evidence
Explore Strac AI Data Governance

Everything a third-party program needs

Not a questionnaire mailer with a dashboard. A full program, built on the data-discovery engine that already knows what your vendors touch.

Deterministic risk scoring

Repeatable bands from typed evidence — not an LLM’s mood. Every score exposes its drivers, inherent and residual, impact and likelihood.

Shadow IT + Shadow AI discovery

Surface unmanaged SaaS and unsanctioned GenAI tools from Google Workspace OAuth grants, strict- and fuzzy-dedup against your vendor set, and promote in one click.

Admin overrides with forensics

Adjust a single driver when you have ground truth the engine can’t see — the binder shows the engine value, your value, and your justification, side by side.

Questionnaires, both directions

Send and auto-grade vendor questionnaires — and answer the ones your customers send you from your own knowledge base.

Data-aware by default

Built on Strac’s DLP foundation, so risk reflects what data a vendor actually touches — not just what they claimed on a form.

Cross-framework reuse

One vendor assessment satisfies SOC 2 CC9.2, ISO 27001 A.5.19–A.5.22, and NIST CSF’s GV.SC supply-chain category at once.

One lifecycle, not a filing cabinet

Third-party risk isn't a one-time onboarding form. It's a loop — and offboarding is where most breaches actually hide.

Discover
OAuth + integration scan finds every vendor
Classify
Criticality + data-access scope tiering
Assess
Deterministic inherent + residual risk
Onboard
Least-privilege access, documented
Monitor
Scheduled re-assessment + drift alerts
Offboard
Revoke access, capture pinned proof

Why this beats the bolt-on vendor tab

For Vanta and Drata, TPRM is a side module — a questionnaire sender stapled to a compliance dashboard. For Strac, knowing what data a vendor touches is the whole company.

Capability
Vanta / Drata
Strac TPRM
Vendor discovery
Manual CSV import
Auto-discovered from OAuth + deduped
Shadow AI tools
Not covered
Discovered + AI-risk scored from OAuth grants
Risk scoring
Free-form / questionnaire average
Deterministic engine, driver-level
Score adjustments
Edit the number, no trail
Override + engine-value forensics in the binder
What the vendor touches
Self-reported on a form
Strac DLP knows the real data exposure
Inbound questionnaires
Manual, or a separate tool
AI auto-responder from your knowledge base
Cross-framework reuse
Per-framework, re-entered
One assessment → CC9.2, ISO, NIST GV.SC
Audit defensibility
Current state only
Version-pinned, replayable in year two

Straight answers

How is the risk score different from Vanta’s or an AI questionnaire grade?

Strac uses a deterministic engine: typed inputs (data sensitivity, access scope, integration depth, attestations) map to inherent and residual risk through fixed rules. The same vendor always produces the same band, every driver is inspectable, and there is no black-box LLM deciding your risk posture. When an admin overrides a driver, the original engine value is captured at that moment so the auditor sees “engine said X, admin chose Y, here’s why.”

How do you find shadow AI tools my employees are using?

The same OAuth-grant discovery that finds shadow IT finds shadow AI — Strac reads the third-party app authorizations in your Google Workspace, so every ChatGPT, Claude, Perplexity, or Copilot login a user connected shows up without an endpoint agent or network proxy. Each AI app is classified with AI-specific risk: who the model provider is, whether the tier trains on your inputs, what data scope it was granted, and where it runs. Sanctioned AI (your managed Claude) and rogue AI (a personal ChatGPT free account with Drive access) sit side by side so you can manage, restrict, or reject each one — with the rationale captured for your AI Acceptable Use Policy evidence. Pairs with Strac’s AI Data Governance for in-line prompt-level DLP.

How do you discover vendors we didn’t tell you about?

Shadow-IT discovery reads third-party OAuth grants from your Google Workspace and annotates each app against your managed-vendor set — strict match by name or canonical hostname, fuzzy match for the near-misses. Apps with no match are flagged so you can manage or reject them, with a required rationale captured for the audit trail.

Does a vendor assessment count toward our SOC 2 or ISO audit?

Yes. Vendor risk assessments map directly to SOC 2 CC9.2 (vendor and business-partner risk), ISO 27001 A.5.19–A.5.22 (supplier relationships), and NIST CSF 2.0’s GV.SC supply-chain risk category. One review advances every framework you run — no duplicate work, no re-keyed evidence.

What happens when a vendor’s risk changes after onboarding?

Assessments re-run on a schedule and on material change. A vendor that crosses your risk threshold promotes into the risk register automatically and notifies the owner, so a vendor that was “low” at onboarding doesn’t silently drift to “critical” between annual reviews.

Can Strac TPRM run standalone, or only with the compliance platform?

Both. It runs as a focused third-party risk program on its own, and it shares an evidence base with Strac Comply and Strac’s DLP platform — so if you already run compliance or data security with us, your vendor risk inherits that context for free.

You can't offboard a vendor you never knew you onboarded

See every vendor. Score them straight.

Discover your real third-party footprint, score it with an engine you can defend, and reuse the work across every framework you run.

Book a DemoSee how it works →