Security Questionnaires Don't Work. Here's What We Do About It.

Here's something nearly everyone in cybersecurity agrees on but almost no one acts on: security questionnaires are broken. Companies hate sending them. Vendors hate receiving them. And the data they produce is so unreliable that only 4% of organizations say they're highly confident vendors actually meet the security requirements those questionnaires are supposed to verify.

We keep doing them anyway. The industry spent the last few years building AI tools to automate the process, which is a bit like building a faster horse when the road leads off a cliff. The fundamental problem isn't efficiency. It's that self-attestation under misaligned incentives produces unreliable information, and no amount of automation changes that equation.

With third-party breaches now accounting for 30 to 35% of all incidents, up from roughly 15% just a few years ago, the gap between what questionnaires promise and what they deliver isn't just inefficient. It's a meaningful security risk.

The Familiar Problems

Some of this is well-trodden ground, but it's worth cataloging because the cumulative weight matters.

Security questionnaires are long, generic, and rarely tailored to the actual service being evaluated. Vendor responses come from approved template libraries that may not reflect current reality. The questionnaires themselves age poorly, frequently referencing threat models and infrastructure assumptions that are months or years out of date. Legal and compliance language makes questions harder to parse than they need to be. And the sheer volume creates fatigue on both sides: up to 75% of vendors either don't complete questionnaires or don't complete them on time.

Each of these is a friction problem. Together, they produce something worse: a process where the questions are wrong, the answers are unreliable, and nobody involved has the time or incentive to fix either one.

We Automated the Wrong Thing

The market's response to questionnaire friction has been predictable: automate it. AI-powered questionnaire completion tools can now draft vendor responses from existing documentation. Platforms match questions to pre-approved answer libraries. The goal is to take something painful and make it painless.

The problem is that this accepts questionnaires as the foundation of third-party risk management and helps entrench them further. If the underlying model is self-attestation, where the vendor tells you what you want to hear under conditions where everyone's incentivized to say yes, making it faster doesn't make it more accurate. You're scaling the wrong thing.

Fifty-four percent of organizations say their top goal for AI in TPRM is faster questionnaire completion. That's understandable as a tactical priority. But as a strategic direction, it's investing in a process that can't deliver what you need from it.

The Incentive Problem Nobody Talks About

The deepest flaw in security questionnaires isn't procedural. It's structural.

Questionnaires happen during a sales cycle. By the time the security review starts, momentum is running hard toward "yes." The vendor's account executive needs the deal to close. The vendor's engineering team sees sales enablement as part of their job. The vendor's leadership wants growth. On the buying side, the team that selected the tool wants to start using it. The security team doesn't want to be the department that blocks everything, because if they are, people start routing around them. Leadership wants the process resolved quickly.

Nobody in this dynamic wants the questionnaire to surface a dealbreaker. So it rarely does. Answers get spun in the most favorable light possible. Gaps get papered over. The organization doesn't learn what it needs to know, and no one has any incentive to change that.

This isn't cynicism. It's how institutional incentives work when everyone's interests point in the same direction, toward closing the deal and moving on.

What a Gap Actually Costs You

Even when questionnaires do surface a genuine gap, the question is: so what?

If you discover that a vendor's encryption practices don't meet your standard, or their incident response plan has holes, what leverage do you actually have? It's not your company. It's not your budget. It's another organization with different priorities, a different roadmap, and a different risk appetite. You can flag the issue. You can escalate internally. You can threaten to walk.

But if you walk away from vendors every time a gap appears, you'll lose credibility inside your own organization, because gaps appear often and the business needs tools to operate. Eventually you become the team that blocks progress, and departments start making procurement decisions without involving you. That's worse than the gap you were trying to address.

For the largest enterprises, there's sometimes enough purchasing leverage to push changes on a vendor. For everyone else, the gap your questionnaire found is a fact you now know about but probably can't change. That's not risk management. That's documentation of helplessness.

What Actually Works

The alternative to questionnaires isn't doing nothing. It's building a TPRM program on foundations that produce reliable, actionable information rather than self-reported optimism.

Continuous monitoring over point-in-time snapshots. Platforms like Bitsight, SecurityScorecard, and UpGuard monitor vendor security posture in real time: exposed assets, breach history, certificate hygiene, DNS configuration. This isn't a replacement for all human judgment, but it provides an external, objective baseline that self-attestation can't. Annual questionnaires miss the vulnerability a vendor introduced last month. Continuous monitoring doesn't.

Risk-tiered assessment. Not every vendor needs the same level of scrutiny. A SaaS tool that processes PII requires a fundamentally different assessment than a marketing analytics platform with no data access. Tier your vendors by actual risk exposure, and invest deep assessment resources where they matter.

Evidence over attestation. Instead of asking vendors to describe their security controls in their own words, ask for artifacts: SOC 2 reports, penetration test summaries, architecture diagrams, incident response documentation. AI-powered platforms can now analyze SOC 2 reports and map evidence to frameworks like SIG, NIST, and ISO automatically, extracting verifiable facts rather than relying on self-reported claims.

Contractual controls with teeth. Security requirements belong in contracts, with specific obligations around notification timelines, right-to-audit clauses, and minimum control baselines. This isn't a substitute for technical assessment, but it shifts the dynamic from "trust me" to "here are the terms we both agreed to."

Integrate findings into your broader program. Third-party risk isn't a standalone function. Assessment results should feed into your risk register, inform incident response planning, and connect to your compliance posture. If vendor risk data sits in a separate spreadsheet that nobody looks at between renewal cycles, you're not managing risk. You're archiving it.

Time to Evolve

The KPMG 2026 Global Third-Party Risk Management Survey points where the industry is heading: risk-based screening, breaking down organizational silos, investing in data quality, and deploying AI where it actually adds signal rather than just speed.

Questionnaires will probably persist in some form for years. They're embedded in procurement workflows, compliance checklists, and audit expectations. But treating them as the backbone of your TPRM program in 2026, when a third of all breaches involve third-party access and continuous monitoring tools are mature and accessible, is choosing a known-broken model over available alternatives.

The goal isn't to eliminate all vendor risk. It's to understand it clearly enough to make informed decisions, and to do that, you need inputs you can trust. Self-attestation under sales pressure isn't one of them. It's time to build something better.