In this landmark episode of The Third Party Risk Institute Podcast – The Executive Edge, we sit down with Nathan Spielberg, Co-Founder and Chief Technology Officer of Tamarin AI, for an in-depth and highly practical conversation on how artificial intelligence is truly built, trained, and deployed in enterprise procurement and third-party risk environments.

With a PhD from Stanford University, a Master’s in Mechanical Engineering and Machine Learning, and an undergraduate degree from MIT, Nathan brings rare technical depth combined with real-world enterprise application experience. His work spans machine learning, autonomous systems, reinforcement learning, and AI-driven procurement intelligence.

This episode goes far beyond surface-level AI discussions. Together, we unpack:

• How AI models are actually built
• Why data quality determines everything
• How algorithms, training, and evaluation really work
• Where the biggest hidden enterprise risks live
• Why “AI inside your organization” does NOT automatically mean it is secure

We also explore how AI is reshaping procurement decision-making, where organizations are unknowingly exposed through fourth-party AI model dependencies, and why explainability and continuous validation are becoming regulatory and board-level concerns.

What We Cover in This Episode

• How AI models, algorithms, and data interact inside enterprise systems
• The real difference between supervised, unsupervised, and reinforcement learning
• Why most organizations underestimate AI risk inside their procurement and vendor platforms
• How training, fine-tuning, retrieval, and model evaluation actually work
• Why “garbage in, garbage out” is the single biggest AI failure point
• The hidden fourth-party risk created by outsourced AI models
• Why explainability remains one of the hardest unresolved challenges in AI
• How organizations should think about continuous AI testing and performance drift
• The growing importance of AI bills of materials and model transparency
• Key public AI risk intelligence sources every risk leader should monitor

This Episode Is Essential For:

• Chief Risk Officers (CROs) and Chief Information Officers (CIOs)
• Chief Procurement Officers and Strategic Sourcing Leaders
• Third-Party Risk and Vendor Risk Management Professionals
• Cybersecurity, Data Governance, and Model Risk Teams
• Compliance Leaders preparing for AI regulatory expectations
• Executives evaluating AI-enabled procurement and vendor platforms

🎧 Enjoying the podcast?
Explore more resources, expert insights, and certification programs at www.thirdpartyriskinstitute.com

📱 Follow us on LinkedIn for real-world conversations and industry trends: Third Party Risk Institute Ltd.

📬 Have a question or topic you'd like us to cover?
Email us at: info@thirdpartyriskinstitute.com

In this episode of The Third Party Risk Institute Podcast, we sit down with Kenia Sposito, Head of Operational Risk at BNP Paribas Canada, for a deep dive into how one of the world’s largest and most complex banks approaches third-party and fourth-party risk. With more than 12 years at BNP Paribas and experience spanning JP Morgan, Crédit Agricole, and global markets operations, Kenia offers a grounded, inside view of what it truly takes to oversee operational risk across multiple jurisdictions, regulatory regimes, and shared-services operating models.

Kenia shares how BNP Paribas Canada serves as a major service hub for the Americas, why third-party risk is fundamentally a “team sport,” and how global institutions harmonize risk expectations from Canada’s OSFI B-10 to Europe’s DORA to U.S. supervisory requirements. She also breaks down the realities of managing affiliate risk, understanding data flows, responding to incidents, and keeping the business aligned with operational risk expectations without slowing down delivery.

What we cover in this episode:
• Why operational risk, third-party risk, privacy, cybersecurity, compliance, and legal must work as a unified ecosystem
• How BNP Paribas evaluates affiliate-delivered services and why internal shared services still count as third parties under regulation
• The difference between spend, risk, and operational dependency why most organizations mix them up
• Why data flow risk is one of the most misunderstood areas in vendor oversight
• How global banks reconcile prescriptive frameworks like EU DORA with principles-based guidance such as OSFI B-10
• What meaningful fourth-party oversight actually looks like in practice
• Why culture, transparency, and responsiveness matter just as much as controls in a third-party relationship
• How operational risk leaders balance independence, efficiency, and business partnership

You’ll walk away with practical guidance on:
• Segmenting third parties using operational dependency instead of generic “criticality” labels
• Assessing affiliate risk and building a consistent view of controls across internal and external service providers
• Applying smarter due diligence by focusing on the pillars that actually matter: data use, access, security, and resilience
• Creating repeatable governance for tracking fourth parties and identifying when they pose material risk
• Designing escalation paths and decision frameworks that help business leaders make truly risk-informed decisions
• Strengthening resilience by learning from incidents and adapting processes rather than “checking boxes”
• Using negative news monitoring, financial health checks, and cyber posture metrics for high-risk fourth parties

This episode is perfect for:
• CROs, Operational Risk Leaders, and Senior Risk Managers in global financial services
• Third-Party Risk, Vendor Management, and Procurement professionals
• Compliance, Data Privacy, Cybersecurity, and Governance teams
• Anyone responsible for building resilient, multi-jurisdictional risk frameworks
• Practitioners navigating DORA, OSFI B-10, U.S. Interagency Guidance, or other regulatory expectations

🎧 Enjoying the podcast?
Explore more resources, expert insights, and certification programs at www.thirdpartyriskinstitute.com

📱 Follow us on LinkedIn for real-world conversations and industry trends: Third Party Risk Institute Ltd.

📬 Have a question or topic you'd like us to cover?
Email us at: info@thirdpartyriskinstitute.com

In this episode of The Third Party Risk Institute Podcast, we sit down with Matthew Moore, Director of Operational Risk at Barclays Bank in New York, to explore the complexities of third-party risk management beyond traditional vendor oversight. With more than two decades of global experience in operational risk across investment banking and capital markets, Matthew offers a rare insider’s view on managing systemic dependencies, non-vendor third parties, and regulatory expectations.

Drawing on his role overseeing operational risk for Barclays’ U.S. markets, Matthew explains why financial market infrastructures (FMIs), clearinghouses, and mandated service providers represent some of the most critical and misunderstood third-party relationships. He highlights how a principles-based approach to risk, coupled with resilience planning, is essential to protecting organizations when concentration risks and outages occur.

What we cover in this episode:
• The difference between vendor vs. non-vendor third parties and why both require tailored oversight
• How CCPs, FMIs, and exchanges create systemic dependencies for banks and other financial institutions
• The challenges of applying traditional due diligence when third parties set the rulebook, not the bank
• The role of scenario analysis and resilience playbooks in addressing outages and concentration risk
• Global regulatory expectations, from U.S. Interagency Guidance to UK PRA outsourcing rules to EU DORA
• Why operational risk teams must balance independence with collaboration to drive better business outcomes

You’ll walk away with practical guidance on:
• Designing third-party frameworks that flex between vendor and non-vendor relationships
• Building resilience through updated playbooks, outage planning, and scenario exercises
• Using industry forums, governance committees, and public disclosures to bridge information gaps
• Creating transparency in risk reporting, escalation, and board-level decision making
• Recognizing when concentration risks demand alternative providers, and when they don’t exist

This episode is perfect for:
• CROs, Heads of Operational Risk, and Risk Managers in banking and financial services
• Third-Party Risk, Procurement, and Vendor Management Leaders
• Compliance, Audit, and Governance Professionals facing regulatory scrutiny
• Anyone looking to understand how operational resilience and systemic dependencies intersect with third-party risk

🎧 Enjoying the podcast?
Explore more resources, expert insights, and certification programs at www.thirdpartyriskinstitute.com

📱 Follow us on LinkedIn for real-world conversations and industry trends: Third Party Risk Institute Ltd.

📬 Have a question or topic you'd like us to cover?
Email us at: info@thirdpartyriskinstitute.com

In this episode of The Third Party Risk Institute Podcast, we tackle one of the most urgent challenges in risk management today: artificial intelligence entering your organization through third-party vendors. AI promises efficiency and insights, but behind the buzzwords lie hidden risks that can compromise compliance, trust, and resilience.

We break down the building blocks of AI data, algorithms, and infrastructure to show you where vulnerabilities really start, and how to ask the right due diligence questions before onboarding an “AI-powered” vendor. From model drift and explainability gaps to cloud concentration and fourth- and fifth-party dependencies, this episode arms you with the literacy needed to separate hype from reality.

What we cover in this episode:
• The “black box” problem in AI and why explainability is a regulatory must-have
• Key risks in data provenance, model drift, adversarial attacks, and bias amplification
• How hyperscale cloud reliance creates hidden concentration risk for enterprises
• The overlooked fourth- and fifth-party risks in AI supply chains
• Practical due diligence questions to embed in RFPs and vendor questionnaires
• How regulators from the EU AI Act to U.S. financial agencies are already shaping expectations

You’ll walk away with practical guidance on:
• Identifying red flags in vendor claims about AI
• Shifting from one-time reviews to continuous monitoring of AI vendors
• Embedding AI-specific obligations into contracts, including audit rights and incident reporting
• Building functional literacy so you can challenge vendors and protect your organization

This episode is perfect for:
• Third-Party Risk Management, Procurement, and Compliance Leaders
• CROs, CISOs, and Risk Executives navigating AI-driven vendor ecosystems
• Internal Audit, Legal, and Governance Professionals under regulatory pressure
• Anyone seeking to translate AI complexity into concrete risk oversight

🎧 Enjoying the podcast?
Explore more resources, expert insights, and certification programs at www.thirdpartyriskinstitute.com

📱 Follow us on LinkedIn for real-world conversations and industry trends: Third Party Risk Institute Ltd.

📬 Have a question or topic you'd like us to cover?
Email us at: info@thirdpartyriskinstitute.com

In this episode of The Third Party Risk Institute Podcast, we sit down with Shagen Ganason, Group Chief Auditor at Levera Group, to explore the evolving role of internal audit, the impact of regulatory diversity, and why third-party accountability can never be outsourced. With over 30 years of leadership experience across insurance, banking, aviation, manufacturing, and the public sector, and having worked in seven countries, Shagen brings a rare global perspective to audit, risk, and governance.

Drawing on his books The Storyteller’s Ledger and The Auditor’s Secret Weapon, Shagen shares how communication, storytelling, and cultural adaptability are becoming essential skills for auditors and risk leaders. He also highlights why regulators in regions like the GCC are moving fast on cybersecurity, outsourcing oversight, and financial crime risks, and what that means for boards and executives.

What we cover in this episode:
• The three dimensions of modern internal audit: assurance, advisory, and strategic oversight
• How principles-based vs. prescriptive regulations shape audit and compliance practices across countries
• Building resilience through risk culture, and why it looks different in New Zealand, Korea, and the Middle East
• The link between risk appetite and corporate strategy, and how boards translate it into actionable decisions
• Concentration risk, fourth-party dependencies, and why cloud reliance creates hidden exposures
• Why accountability for third-party risk can never be outsourced, and how boards and auditors should address it

You’ll walk away with practical guidance on:
• Communicating audit findings through storytelling that sticks and drives action
• Aligning audit plans with organizational strategy and risk appetite
• Building credibility and independence while maintaining strong business relationships
• Understanding how regulatory diversity and cultural context influence governance effectiveness

This episode is perfect for:
• Chief Audit Executives, CROs, and Board Members
• Internal Audit, Compliance, and Risk Professionals
• Procurement and Vendor Risk Leaders facing regulatory scrutiny
• Anyone looking to strengthen their understanding of risk culture, assurance, and third-party accountability

🎧 Enjoying the podcast?
Explore more resources, expert insights, and certification programs at www.thirdpartyriskinstitute.com

📱 Follow us on LinkedIn for real-world conversations and industry trends: Third Party Risk Institute Ltd.

📬 Have a question or topic you'd like us to cover?
Email us at: info@thirdpartyriskinstitute.com