The State of Third-Party Due Diligence: Scale, Blind Spots, and the AI Shift

Third-party due diligence is entering a crunch point: ecosystems are exploding in size and complexity, while most compliance teams remain lean and heavily reliant on manual methods. The State of Third-Party Due Diligence benchmarking survey captures that tension and shows where leading teams are already starting to break away.​

Third-Party Scale, Complexity, and Capacity

The survey confirms that many organizations are now operating third-party ecosystems that simply outstrip traditional due diligence models.​

• More than half of organizations manage over 500 third parties, and 22% manage more than 1,000, with some overseeing well over 10,000.​

• Risk is heavily concentrated in a minority. Roughly 21% of third parties fall into high or very high risk categories, yet the long tail of lower-tier and indirect relationships is where many modern risks actually surface.​

• Despite this, 52% of organizations run their compliance programs with ten or fewer FTEs, creating a widening gap between exposure and available capacity.​

The full survey digs into how different industries and geographies feel this strain, and how teams are prioritizing the risk segments they can realistically cover.​

What Gets Checked in Third-Party Due Diligence and What Doesn’t

The data shows a clear hierarchy of what teams actually look at in third-party due diligence, revealing both strengths and blind spots.​

• The most widely adopted checks focus on areas with clear regulatory pressure and accessible data: corporate registration and financial stability (72%), data protection and cybersecurity (64–68%), sanctions and PEP screening (61%), and litigation or regulatory history (61%).​

• Negative media review is also mainstream, with 57% screening for adverse reputation signals, and 60% checking adherence to applicable laws such as anti-bribery and corruption requirements.​

• By contrast, only 35% identify ultimate beneficial owners and just 30–37% systematically evaluate ESG, forced labor, or environmental violations, despite mounting expectations in these areas.​

The Visibility Gap Beyond Third Parties

One of the starkest findings is how fast visibility drops off beyond direct third parties.​

• Nearly 70% of respondents consistently assess their direct third parties, but only 37% frequently assess fourth parties, and just 15% go beyond the fifth tier.​

• Top obstacles include simply identifying nth parties and accessing them for information, compounded by limited data, limited people, and limited tools.​

• Many teams admit they do not know how deep to go. 42% say they lack clarity on appropriate depth, leading to inconsistent scoping and unmanaged blind spots in indirect tiers.​

The survey dives further into how organizations are attempting to map complex ownership networks, respond to regulations like the CSDDD, and decide where to draw the line on deeper-tier due diligence.​

Initial vs. Enhanced Third-Party Due Diligence in Practice

The research highlights how organizations structure initial screening versus Enhanced Due Diligence (EDD), including triggers, timelines, and methods.​

• Initial due diligence is relatively efficient: 29% complete it in under a week and 42% within one to two weeks, with only about 13% reporting cycles longer than four weeks.​

• EDD is far more resource-intensive: on average, only about 35% of third parties undergo EDD, broadly in line with the share categorized as high or very high risk—but leaving a large “long tail” with only basic screening.​

• Top EDD triggers include high-risk geographies or industries, risk-scoring thresholds , adverse media , and opaque or complex ownership structures.​

In EDD, organizations lean more heavily on higher-touch methods such as remote interviews , on-site visits, and external investigations, while still relying on sanctions/watchlist screening and open-source intelligence as foundational tools. The report unpacks how these workflows differ by risk tier and how teams are trying to balance depth with speed.​

Timelines, Onboarding Friction, and False Positives

The survey illustrates how third-party due diligence timelines translate into real commercial impact, especially where processes stretch into weeks or months.​

• While many organizations keep onboarding relatively tight (25% complete it in less than a week and 40% in one to two weeks) 28% report onboarding cycles of six weeks or more.​

• For EDD, 48% of cases close within one to two weeks, but 24% stretch beyond four weeks, and 9% extend beyond 12 weeks, moving into territory where deals risk losing momentum or sponsors.​

• False positives stand out as a major drag on workflows, especially in sanctions and adverse media screening, contributing to delays, reviewer fatigue, and higher cost.​

The full survey explores what differentiates organizations that maintain predictable timelines from those that struggle with extended cycles, including their approaches to data centralization, tooling, and internal process ownership.​

Continuous Monitoring and the Move to “Always On”

Another clear signal is the gradual but decisive shift from point-in-time reviews to continuous monitoring as a baseline expectation.​

• Most organizations rely on periodic risk reassessments (75%), ongoing adverse media monitoring (56%), and continued watchlist screening (52%) to maintain visibility after onboarding.​

• Regular audits remain widely used, but are complemented by more dynamic mechanisms such as automated alerts and external risk-intelligence feeds; resource-intensive site visits are reserved for higher-risk or strategically critical relationships.​

The pattern points toward a pragmatic model- consistent, automated external signals across the full third-party universe, with targeted human interventions where data alone cannot provide sufficient assurance.​

AI’s Role in Third-Party DD: Momentum, Not Yet Transformation

AI emerges as one of the most important, but still early, levers for scaling due diligence without proportional headcount growth.​

• Adoption today is concentrated in a few high-ROI use cases: real-time risk monitoring (21.9%), automated document review (15.8%), and enhanced compliance checks (14%).​

• Across almost every AI use case, the largest segment of respondents sits in the “considering in the future” category (around 38–52%), signaling strong interest but limited operationalization so far.​

• Early adopters focus on reducing false positives, accelerating first-level screening, expanding continuous monitoring, and surfacing early risk signals from adverse media and external data.​

More advanced use cases, such as predictive modeling, ownership-network graphing, and contract analytics, remain further out, with higher “not a priority” responses reflecting both technical complexity and governance concerns. The full survey breaks down AI maturity curves and expectations for adoption over the next 12 months and beyond.​

Strategic Insights for Compliance Leaders

Taken together, the findings suggest that due diligence is at an inflection point: risk is growing faster than resources, but new technologies and operating models are beginning to close the gap.​

• Traditional manual, point-in-time approaches are increasingly misaligned with sprawling, multi-tier ecosystems and fast-moving regulatory requirements.​

• Continuous monitoring is shifting from “nice to have” to baseline, especially as sanctions, geopolitical dynamics, and ownership structures change in real time.​

• AI is moving from experimentation to early embedding in core workflows, with the most successful teams pairing automation with strong governance, clear accountability, and human oversight.​

For organizations that want to pressure-test their own approach: how many third parties undergo EDD, where deeper-tier visibility stops, which checks are standard versus emerging, and how their AI adoption compares, the full State of Third-Party Due Diligence 2025 report provides detailed benchmarks, charts, and recommendations. 

It is designed to help compliance leaders move beyond intuition and anecdote, and instead calibrate their programs against where the market is now, and where it is heading next.​