Why Global Enterprises Need a New Operating Model for Economic Security

About This Report

This report presents findings from the 2025 Sayari Enterprise Risk Survey, conducted September-October 2025. The survey gathered insights from 139 senior decision-makers responsible for supply chain risk management, third-party risk, procurement, and trade compliance at large global enterprises – 100% with revenue above $1B, 84% VP-level or above.

Five key findings: 90% agree siloed risk is redundant. 81% are only partially integrated. 74% say continuous monitoring is too time-consuming. Only 8% are currently using predictive AI – but 67% want it within 3-5 years. 60% of respondents are part of a buying committee, not the final decision-maker.

Chapter 1: The Regulatory Acceleration

The compliance environment facing Global 2000 companies has fundamentally changed since 2022. What was once a stable framework of periodic regulatory updates has become a relentless acceleration – driven by geopolitical conflict, supply chain weaponization, and a bipartisan political consensus that economic interdependence represents a strategic vulnerability, not just a business risk.

Three regulatory trends are converging to create simultaneous pressure across every risk domain. In Sanctions & Export Controls, Trump II’s “maximum pressure” campaigns expanded the China entity list by 143 additions in 2025. In Forced Labor and UFLPA, CBP detained $1.34B in merchandise in 2024 – 25% more shipments than 2023, with 47% ultimately denied entry. In Beneficial Ownership Transparency, the US Corporate Transparency Act, EU Anti-Money Laundering Package, and UK NSI Act notifications (up 26% year-over-year to 1,143) have made “who owns the company” a regulatory question, not just a due diligence preference.

What Buyers Say Is Driving Investment

When asked about primary triggers for investing in new risk management software, survey respondents cited enhanced risk visibility/reporting (65%), regulatory changes/compliance requirements (54%), and operational efficiency/automation (47%). The insight behind the numbers: traditional compliance approaches – name screening against sanctions lists, annual vendor reviews, self-attested supplier data – were designed for a simpler era. They screen for what is known. Today’s environment requires tracing what is hidden.

Chapter 2: The Silo Problem

Large enterprises don’t have one risk problem. They have five. TPRM, vendor risk management, supply chain risk management, information security risk, and ESG risk evolved as separate disciplines, staffed by separate teams, using separate tools, fed by separate data vendors – often reviewing the same counterparties from different angles without any mechanism to share findings.

The continuous monitoring paradox is stark: 86% of respondents rate continuous monitoring as “very important” or “absolutely essential” – yet 74% say it’s too time-consuming to actually do. This is not a priority gap; it’s a capability gap. The barriers cited: too time-consuming (74%), too complex (35%), current vendor does not support automation (30%).

The Data Vendor Sprawl

Most enterprises use between 1-10 distinct data vendors across risk platforms – 54% use 1-5, 35% use 6-10. But even at the low end, managing multiple providers creates reconciliation overhead, data quality disputes, and coverage gaps. A team managing five data vendors for TPRM and a separate team using three for supply chain risk may have $3-5M in combined annual data spend with significant redundancy and zero unified view.

Chapter 3: The Convergence Imperative

The survey data on convergence is unambiguous. This is not a niche view or an early-adopter position – it is the dominant perspective among senior risk leaders at Global 2000 companies. 90% agree that siloed risk practices are redundant and organizations are converging. 85% agree that organizations are moving toward a single integrated risk platform.

The question is no longer “should we converge?” – it is “how do we get there, and which vendor can take us from our current fragmented state to a unified future?” The global TPRM software market – estimated at $8.3B in 2024 – is projected to reach $18.7B by 2030, a 14.5% CAGR driven entirely by this shift from point solutions to unified platforms.

Chapter 4: The AI Transition

AI is the most discussed and least deployed technology in enterprise risk management. The survey reveals a market that is enthusiastic about AI’s potential, frustrated by practical barriers, and deeply uncertain about how to evaluate AI solutions in a compliance context where errors have regulatory and financial consequences.

Where Organizations Are Today

Only 8% are currently using predictive AI in risk decision-making, and just 3% have prescriptive AI workflows. By contrast, 67% want to be at predictive or prescriptive maturity within 3-5 years. The capabilities in use or under consideration: automated report generation (53%), real-time risk monitoring (49%), predictive risk scoring (44%), and autonomous screening (38%).

The primary barriers to AI adoption are accuracy concerns in regulated contexts (cited by 61%), integration complexity with existing GRC systems (54%), and lack of explainability for audit purposes (47%). These are not abstract objections – they reflect the reality that an AI recommendation in a sanctions or UFLPA context carries direct legal and financial liability.

Chapter 5: The Buying Committee Paradox

Enterprise risk platform purchases are never made by a single buyer. The survey confirms this: 60% of respondents describe themselves as “part of a team” in the buying process, not the final decision-maker. Understanding who is in the room – and what each persona needs – is as important as the product itself.

The Four-Persona Committee

• CRO / General Counsel – accountable for regulatory outcomes. Cares about defensibility, audit readiness, and board-level risk reporting. Needs proof that the platform can replace scattered attestations with traceable, verifiable evidence.
• Procurement / TPRM Leader – operationally accountable. Cares about workflow integration, vendor coverage depth, and whether the platform reduces FTE hours. Primary objector to switching costs.
• CTO / AI Lead – technically accountable. Cares about API access, data quality provenance, AI explainability, and integration with existing GRC stack. Key influencer on build-vs-buy decisions.
• CFO – financially accountable. Evaluates total cost of ownership including vendor consolidation savings, FTE efficiency, and penalty avoidance ROI. Needs a quantified business case.

The paradox: the risk leader who identified the need is rarely the one who approves the budget. Vendors who sell only to the operational buyer – and don’t equip them to sell internally – lose deals late, after substantial investment from both sides.

Chapter 6: Future-Proofing to 2029

The technology decisions enterprises make in 2025-2026 will determine their compliance posture and competitive position through 2029. Three shifts define the planning horizon that buyers must account for now.

• Regulatory volume will not decrease. McKinsey research confirms industrial policy actions grew nearly 390% between 2017 and 2024. The investment screening mechanism has grown ninefold since 2005. Compliance programs built for today’s volume will be insufficient for 2027.
• AI accuracy standards will tighten. The EU AI Act supply chain governance requirements – effective for most enterprise systems by 2026 – mandate explainability and auditability for AI used in regulated risk workflows. Opaque models will face legal exposure.
• Beneficial ownership is now a regulatory data requirement. The US Corporate Transparency Act, EU AMLA, and UK NSI Act all require knowing the actual owner – not the registered name. Self-attested supplier data will not satisfy regulators who have access to the same corporate registry data that Sayari indexes.

Recommendations for Risk Leaders

Based on survey findings and platform deployment data, Sayari recommends the following priorities for enterprise risk leaders navigating the convergence transition:

• Audit your current vendor stack for redundancy – most enterprises paying for 5-10 data vendors can consolidate to 2-3 without coverage loss, funding the unified platform investment
• Make continuous monitoring a platform requirement, not a manual workflow – any vendor that can’t demonstrate automated, ongoing third-party monitoring at scale is a point solution, not a platform
• Evaluate AI on accuracy, not features – require vendors to demonstrate hallucination rates on your actual entity set, against your jurisdiction footprint, before any AI capability evaluation
• Build your buying committee map before the vendor process – identify every stakeholder who will touch the purchase, what they need to say yes, and what will cause them to veto
• Choose a platform that works now and in 2029 – the switch cost from a unified platform back to point solutions is higher than the switch cost in the other direction; plan for the platform you need in three years, not the one you need today