I was honored to facilitate a conversation with three of the most respected voices in procurement, risk, and compliance:
- Alla Valente, Forrester
- Michael Rasmussen, GRC 20/20
- Chris Sawchuk, The Hackett Group
Collectively, they represent decades of research, benchmarking, and advisory work across the world’s largest organizations. What they shared at Icon 2026 was direct, practical, and in some cases, genuinely unsettling in the best possible way.
I opened the panel with a confession. I shared with our audience that I used AI to help draft my intro notes for the guests. And it was mostly helpful.
I asked it to tell me about today’s guests. And it did. Confidently. Enthusiastically. And in at least two cases, entirely fabricated. It told me that Michael Rasmussen was listed as an extra in Lord of the Rings. Alla Valente was apparently People magazine’s Best Dressed in Risk. And Chris Sawchuk was said to hold a black belt in Brazilian Jiu-Jitsu.
(For the record: Chris has neither confirmed nor denied the black belt.)
The setup wasn’t just a joke. It was the point.
Off-the-shelf AI fills gaps with confidence. It tells you a story that sounds right, might even be right, but isn’t. That’s precisely not how AI works at apexanalytix. Our platform’s AI is built on decades of historical context and continuous validation with the world’s largest supply chains. Trust is the design principle, not an afterthought. When the data is wrong, everything downstream is wrong. Our AI knows what it doesn’t know, which, as it turns out, is a rare and valuable quality.
With that frame in place, here’s what the next 45 minutes surfaced.
AI is a Top Priority and the Least Mature Capability
I asked Chris Sawchuk to open because The Hackett Group’s annual research is some of the most grounding data in the industry, and what he shared stopped a few people in their seats. In a good way. Mostly.
In Hackett’s latest study of procurement and supply management priorities heading into 2026, AI ranked third in the top ten organizational priorities.
A year ago it wasn’t in the top ten at all. When organizations were asked where they were investing to build capability, AI came in second, behind only data, which has been the number one investment area for three consecutive years. And when asked which single capability mattered most in 2026, AI led the list.
Then came the other number: when asked to rate maturity across roughly 25 capabilities, AI ranked last.
So: most important, least mature. The function has essentially handed itself an assignment it hasn’t perpared for yet.
Most organizations have moved through awareness and early experimentation. Some have deployed, with varying degrees of success. But the honest picture, as Chris put it, is that the pressure from boards and executives to act on AI has outpaced the clarity about where to act. The question he hears most often from senior leaders isn’t “should we?” but “where do we start?”
Looking out five years, AI ranked first among capabilities expected to have the biggest transformational impact on organizations. Last year it was second. The function is beginning to understand what it’s sitting in front of. Whether it’s ready or not.
Compliance is a Floor, Not a Destination
Alla Valente covers third party risk and contract lifecycle management at Forrester, and she did not come to comfort anyone. Her argument was blunt: The goal isn’t zero risk. The goal is taking the right risks, for the right value, at the right cost. A company that takes no risks is a company that’s on its way out.
On regulation, Alla was equally direct: deregulation doesn’t mean less work.
It means more change management, more uncertainty, and more decisions that get resolved in litigation rather than through clear guardrails. She cited studies showing close to 92% of large US companies face at least one class action lawsuit, with more than half facing multiple. When regulations don’t draw the lines, courts will. And courts are considerably less efficient than a good contract clause.
Her Monday morning list for the room:
- Audit your contracts: Start with anything three years old or older. Look for any agreement that lacks language around cyber attack, AI training models, data sovereignty, or geopolitical obligations. Those contracts were written for a different environment. They need to be updated. All of them.
- Look at your shadow procurement exposure: Not every third party relationship runs through procurement. Check recurring charges on corporate cards, particularly in marketing and technology. Freemium tools that were “just being tested” often required data connections. Deciding not to purchase a tool doesn’t mean the data shared during the trial is gone. Someone has it. You just don’t know who.
- Separate governance from risk management: Governance tells you whether policies have been followed. Risk management tells you what to do when they haven’t. As organizations stand up AI governance frameworks, they need to use them to identify problems and then use risk management to fix them. Those are two different processes. Conflating them is how you end up with a very thorough audit trail of how everything went wrong.
Governance is a Performance Engine, Not a Cost Center
Michael Rasmussen has been one of the most recognized voices in GRC for a reason, and he spent his segment doing what he does best: reframing the entire conversation before anyone realized it was happening.
He opened by suggesting we stop treating AI like Jack Sparrow, left unsupervised; it wanders off and does things. Charming things, possibly, but not necessarily the things you intended. The room appreciated this more than I expected.
Michael’s framework for building that business case rests on four dimensions of value:
- Efficiency is traditional ROI: time saved, money saved. It matters. It just isn’t sufficient, and it’s certainly not enough to get budget approved.
- Effectiveness is actual, quantifiable risk reduction. A supplier risk platform should be able to demonstrate measurable reduction in exposure. That’s a stronger business case than “we saved some hours.”
- Resilience is finding cracks before they become crises. The difference between a line item and a headline.
- Agility is the dimension Michael called most important, and most underinvested. Third party risk management has historically been a rearview mirror discipline: by the time the data is collected and analyzed, the supplier has already had an incident. The organizations that lead are the ones building forward-looking capability, using scenario modeling and digital twins to run “what if” analysis before disruptions land.
He closed with a framing from a chief risk officer candidate in a CEO interview. When asked what strong risk management would mean for the business, the candidate said: if I do my job correctly, it means you have no surprises in achieving your objectives. The CEO hired him on the spot. Honestly, same.
Done right, third party risk is not a handbrake on the business. It is the navigation system.
The Extended Enterprise is Your Biggest Exposure
Later in the conversation, Michael turned to the scale and shape of third party risk in practice, and things got a little sobering.
The modern organization is not bounded by its own walls. It is an extended web of suppliers, vendors, outsourcers, service providers, contractors, consultants, brokers, intermediaries, and more. Their issues are your issues. And that network is the hardest control environment to manage, in part because most organizations are still drawing their risk perimeter around their own building.
The size of a contract is not a proxy for risk. Twelve years ago, the Target breach entered through an HVAC vendor with a network connection for environmental monitoring. One heating and air conditioning vendor gave attackers access to point-of-sale systems across one of the largest retail networks in the country. The doorway was small. The exposure was massive.
He also walked through a scenario from one of his third party risk workshops: a modern slavery incident with a critical supplier that then triggered a ransomware attack from a hacktivist group using the first incident as leverage. After the simulation, someone in the room said quietly: this isn’t a scenario for us. This happened to us.
That’s the thing about these scenarios. They’re only hypothetical until they aren’t.
Managing cyber risk in one silo, modern slavery in another, geopolitical risk in a third, and financial viability in a fourth means no one is reading the complete picture. Individual yellow scores across categories can add up to a red exposure that no single team ever sees.
By the time someone connects the dots, the dots have already connected themselves.
2026 is an Inflection Point, Speed is the New Currency
Chris returned for the closing segment with a sharper version of his opening argument, and he did not soften the landing.
The labor-for-technology swap happening inside procurement and finance organizations has been building for years.
What’s different in 2026 is the acceleration. Workloads are expected to grow roughly 8% this year. Headcount budgets are negative in a period with no economic recession, something Hackett has not seen before. Do more with less is no longer a mandate from a difficult quarter. It’s the operating model.
Technology investment is increasing, and an increasing share of it is going to AI: predictive, generative, agentic, and whatever comes next.
In manufacturing, the gap between labor investment decline and technology investment growth is even more pronounced. Some European organizations Hackett works with are approaching budget equilibrium between labor and technology spend. That is not a sentence anyone would have written into a five-year plan ten years ago.
Chris’s close was direct. The question is not whether transformation is coming.
It’s whether you’re building for speed. Speed is a competitive differentiator.
The organizations that can keep pace with their businesses are the ones that will pull ahead. The ability to leapfrog, to skip the incremental path and build differently, is real. The window is open. The question is whether you’re walking through it.
The Throughline: Trusted Data is the Foundation
Across every segment of the panel, whether the topic was AI readiness, regulatory complexity, contract risk, or organizational design, the same issue kept surfacing.
Organizations that are succeeding have a data foundation they can trust. Organizations that are struggling are working around the gaps in theirs, which, it turns out, is a full-time job that doesn’t scale.
The questions these analysts are hearing aren’t primarily about technology selection. They’re about whether the data feeding those technologies is accurate, connected, and current. Supplier risk programs built on incomplete or fragmented data don’t produce reliable outputs. AI trained on bad data doesn’t improve decisions. It just makes bad decisions faster, with more confidence.
That foundation, trusted and connected supplier data, is what apexanalytix is built around. The platform connects supplier onboarding, continuous risk monitoring, contract and compliance visibility, and payment controls in a single integrated view. It’s the difference between risk programs that see individual signals and programs that see the full picture.
What I appreciated most about this panel was that three independent analysts, with no coordination with our team, made that case entirely on their own. The research points to the same place we do. Trusted data is not a feature. It is the prerequisite for everything else.
And unlike AI-generated bios, you can actually rely on it.
Speaking of which, here comes the shameless plug. We just launched QubitOn, which puts that same trusted data foundation behind any API call, MCP server, or AI assistant prompt. No enterprise contract, no sales cycle, no fabricated black belts. 280 million continuously validated company records and 1,200+ data sources across 250+ countries, available at QubitOn.com. The next time your AI confidently invents a supplier’s tax ID, you’ll have somewhere to send it for a reality check.
Want to see how apexanalytix surfaces supplier risk across your third party ecosystem? Contact us to schedule a demo.
