โ† Blog

Less Focus on Vendor Controls. More Focus on Vendor Status.

Jonathan Mandell, Founder, Docubark ยท 2026

Start with a familiar mess.

Have you ever sat through an internal risk assessment of your own company?

It's chaos. People disagree on what's being asked. Evidence is scattered across systems. Teams give conflicting answers. After weeks of meetings, spreadsheets, and follow-ups, you're often still unsure what's actually going on.

Now imagine doing that for 100+ vendors a year โ€” except you don't work there, can't see their systems, and can't test their controls. And the answers are coming from a spreadsheet filled out by a sales engineer with help from AI.

You probably won't learn much.

The questionnaire premise is broken.

For twenty years, vendor risk management has tried to gauge risk by interrogating vendor controls. The premise: ask enough questions, and you'll understand how secure a vendor really is.

But we can barely understand our own controls from the inside. Why would a questionnaire give us a clear picture of someone else's? The result is governance theater โ€” a lot of visible activity, very little real progress in understanding actual exposure.

Status is more knowable than controls.

A better approach focuses on the vendor's status in the world.

What certifications do they hold โ€” FedRAMP, HITRUST, ISO 27001, SOC 2? How large and mature are they? Do they support enterprise basics like SAML, SCIM, audit logs, and RBAC? Any history of breaches, lawsuits, or regulatory issues? How much scrutiny are they already under from customers, auditors, regulators, insurers, and the market?

None of this is a perfect measure of risk. Nothing is. But these signals are objective, verifiable, and often tell you more about a vendor's real posture than a spreadsheet of self-attested answers. It's the same logic behind FastPass: for large, established vendors, public signals and compliance documents are a more reliable basis for a decision than vendor self-attestation.

Not all vendors deserve the same process.

This doesn't mean controls don't matter. It means we should be honest about what we can actually know.

A large, established vendor with strong certifications, public security documentation, and constant market scrutiny shouldn't be treated the same as a 10-person startup with no assurance reports and access to sensitive data. A small vendor handling no sensitive information shouldn't go through the same process as a small vendor embedded in a critical workflow.

Build status into the framework.

The point is to work these ideas into the risk framework. Start with what the vendor actually does for you. Then look at objective signals about who they are, how mature they are, and what scrutiny they already live under.

This won't make vendor risk perfect. But it will make it more efficient, more realistic, and probably more accurate than pretending we can understand every vendor's control environment through a spreadsheet.

Book a Demo

Related reading