Something significant is shifting in how law firms govern vendor relationships. Procurement is increasingly reporting to the Office of the General Counsel, a structural change that reflects how seriously firms now view vendor risk. But responsibility and capability don't always arrive together. Many legal teams find themselves accountable for a vendor ecosystem; they don't yet have the tools, processes, or bandwidth to manage with confidence.
The result is a vendor risk function that is structurally reactive. Risk assessments, when they happen at all, typically begin after a vendor has been selected, sometimes after work has already started. Most firms can only scrutinize a fraction of their vendor landscape at any given time. The consequence isn't just exposure to bad actors. It's that firms routinely miss better-aligned, lower-risk alternatives — undermining the very objectives procurement exists to serve.
Meanwhile, the external environment isn't waiting for firms to catch up. Clients are demanding demonstrable oversight. Regulators are raising the bar on compliance, cybersecurity, and data governance.
The standard is no longer a robust risk program — it's a proactive one, capable of surfacing exposure before it becomes a liability.
These pressures are converging at a time when law firms can least afford blind spots. Below are five categories of risk that remain consistently under-managed – and increasingly consequential.
This is Part 2 of Harbor's four-part 2026 Procurement Priorities series, exploring the three core themes from our Law Firm Procurement Annual Report. If you missed Part 1, start here. Next up: why operational process improvement has become procurement's most underleveraged advantage.
Five Types of Undermanaged Risk
1. AI governance, ethical and regulatory risk
The AI governance problem isn't that firms don't see the risk — 91% of firms in our survey expressed concerns about AI's compliance with security and privacy practices, and 87% are uncertain about the accuracy of AI-generated outputs. The problem is that awareness hasn't translated into action. Governance frameworks are lagging behind adoption, and the gap is widening.
Procurement teams often lack the technical fluency and early involvement needed to assess risks, leaving firms exposed to issues like data leakage, biased outputs, and regulatory non-compliance.
At the same time, vendors are embedding AI into their own platforms - often without sufficient transparency. With limited visibility into how these models are trained, governed or deployed, firms risk inadvertently compromising client confidentiality, particularly if sensitive data is processed through models lacking proper isolation or data handling protocols.
In the absence of AI-specific due diligence, embedded technologies don't just introduce risk, they become the vector through which reputational, legal, and compliance failures travel. And because the exposure is invisible until something goes wrong, it's the category most likely to catch firms off guard.
What to do about it
To mitigate these risks, firms must embed governance into procurement workflows and vendor agreements with precision. This begins by incorporating AI-specific provisions into intake questionnaires and contract templates – mandating transparency around model training data, algorithmic updates, and usage restrictions for high-risk applications.
Firms should also require vendors to disclose governance documentation, including bias mitigation protocols, privacy safeguards, and auditability standards. Procurement teams should proactively manage vendor risk using a centralized risk registry with risk ratings based on vendor criticality, exposure to sensitive data, and regulatory alignment. Cross functional collaboration with legal, IT, and compliance is essential to ensure that AI tools meet firm-defined thresholds for ethical use and operational integrity.
Additionally, it is important for firms to conduct periodic reviews of vendor AI deployments, leveraging third-party audits where necessary to validate claims and ensure continued compliance. By operationalizing these safeguards, procurement can shift AI oversight from reactive to proactive – ensuring that innovation does not outpace accountability.
Our view: AI governance should be treated as a vendor contract issue, not just a technology policy issue. The firms getting this right are the ones writing AI-specific obligations into agreements before the tool goes live — not scrambling to add them after a client raises a concern.
2. Cybersecurity risk amplified by vendor ecosystems
Law firms increasingly rely on a growing network of third-party vendors - from cloud-based document management systems (DMS) to e-Discovery platforms and collaboration tools. While these technologies offer efficiency and scalability, most firms lack the capacity and know-how to continuously monitor these vendors' security posture.
Risk assessments are often static and narrowly focused, conducted only at onboarding, and rarely updated as vendors change, increasing the firm's exposure level over time.
These blind spots can lead to data breaches, unauthorized access to client information like trade secrets, merger and acquisition strategies, and increase exposure to ransomware attacks. Vendors without robust security certifications – such as SOC 2 or ISO 27001 – or breach response protocols can become weak links in the firm’s defense.
Overcoming cybersecurity risk
Cybersecurity is a defensive sport, requiring vigilance, expertise, and multi-faceted approaches. It is a dynamic, continuously monitored risk – not a one-time compliance exercise. This requires deploying automated monitoring tools that track vendor security posture in real time and integrating breach alerts into procurement workflows. Contracts should mandate compliance with recognized standards such as SOC 2 Type II or ISO 27001, include breach notification timelines, and grant audit rights for verification. Procurement teams should partner with IT and InfoSec to conduct periodic penetration tests and breach simulations with critical vendors, ensuring incident response readiness.
A centralized dashboard consolidating certifications, risk scores, and remediation timelines enables firms to prioritize high-risk vendors and enforce accountability. By embedding these measures, cybersecurity becomes a dynamic safeguard – aligned with evolving threats and firm-wide protection strategies.
Here's the uncomfortable truth: a single vendor without SOC 2 Type II certification, sitting in your supply chain with access to client data, can undo years of investment in your own security posture. The perimeter is only as strong as the weakest third party inside it.
3. Information governance & emerging data risk
Information governance consistently remains one of the more under-managed risk categories at law firms, particularly as vendor ecosystems grow more complex. Procurement teams often lack visibility into how vendors manage unstructured data across platforms, leading to risks around data retention, defensibility, and jurisdictional compliance. Vendors may store data in multiple geographic regions, use systems built on unsecure open-source coding, or operate without clear protocols for data preservation and protection.
When left unaddressed, the exposure compounds quietly. Data sprawl, unauthorized access, and regulatory non-compliance are the visible risks. The less visible ones — collaboration metadata, behavioral analytics, and other emerging data types — often fall entirely outside traditional governance frameworks. By the time they surface in a discovery request or audit, the damage is already done.
The firms ahead of this aren't waiting for a discovery crisis to force the issue. They're treating information governance as a vendor selection criterion from the first conversation.
Overcoming emerging data risk
To strengthen information governance, firms must embed structured oversight into procurement processes from the outset. Vendor intake should include an established robust onboarding process that catalogs vendor risk profiles, retention and reassessment schedules, and defensibility protocols of jurisdictional requirements. Contracts should formalize these requirements through provisions for legal holds, audit trails, and breach notification obligations.
It’s recommended that procurement teams implement a centralized data governance registry that tracks vendor practices and risk rating, enabling visibility across the vendor ecosystem.
Ongoing collaboration with IT and legal is critical to monitor emerging data types – such as metadata and behavioral analytics – and ensure vendors adhere to evolving regulatory and defensibility standards. By operationalizing these safeguards, firms can reduce exposure to data sprawl, regulatory penalties, and reputational harm while reinforcing client trust.
4. Due diligence gaps in vendor onboarding
Despite its strategic importance and resource intensive process, risk assessments are often delayed until after award or invoice receipt, leaving risk and procurement teams with limited influence over critical decisions.
Many firms still rely on manual intake processes, lack centralized systems, and assess only a small subset of the vendor landscape due to resource constraints, and process inefficiencies. Typically, risk evaluation is narrowly focused on cyber hygiene or financial credit status alone, not including many risk categories including regulatory, cyber, ESG, adverse media, and more.
Late-stage reviews don't just increase exposure, they eliminate leverage. By the time procurement is formally involved, commercial momentum has already built, the relationship has social capital behind it, and walking away or renegotiating terms carries real cost. The risk isn't only regulatory. It's that firms lock themselves into vendors who were never the right fit.
Without early-stage reviews, vendor selection can be misaligned with firms’ risk appetite and/or short-to-long-term goals, resulting in operational inefficiencies, costly reworks, and reputational exposure.
Closing the due diligence gaps
To address these risks, firms must modernize intake processes and embed risk evaluation at the earliest stages of vendor engagement. This begins with implementing a centralized onboarding platform that automates risk scoring across multiple dimensions – regulatory, cyber security, ESG, financial stability, and reputational exposure.
Standardized questionnaires and compliance checks should be integrated into intake workflows, supported by a vendor risk registry that consolidates documentation, ratings, and review timelines. Contracts must reflect these assessments through clauses addressing sanction compliance, anti-bribery obligations, and data privacy standards. Embedding legal, IT, and compliance stakeholders early ensures holistic oversight and alignment with firm risk appetite. Periodic reassessments and continuous monitoring further reduce exposure, transforming onboarding from a transactional process into a strategic safeguard for operational resilience and client trust.
5. Environmental, social, and governance (ESG) and reputational risk
With over 90% of a firm's carbon footprint stemming from its supply chain, ESG is no longer a peripheral concern for law firms. It is central to achieving long-term goals, satisfying client expectations, regulatory scrutiny, and brand reputation. Yet in most firms we work with, ESG still functions as a compliance checkbox — something addressed reactively when a client asks, rather than embedded proactively into how vendors are selected and managed. Clients are demanding increased transparency around long-term sustainability goals, diversity commitments, and carbon footprint reduction efforts.
Vendors who experience more labor violations or environmental negligence directly impact firm credibility and client relationships. Greenwashing is an example of how vendors may claim they are maintaining ESG standards, while posing a serious reputational threat to firms that solely rely on vendor claims without verification.
Mitigating ESG and reputational risk
To elevate ESG from a compliance checkbox to a strategic imperative, firms must embed sustainability and ethical standards into every stage of vendor engagement. Procurement should incorporate ESG criteria into selection workflows, requiring vendors to provide verifiable certifications such as ISO 14001 and evidence of diversity and labor compliance.
Establishing an ESG scorecard enables firms to assess vendor performance against measurable goals, including carbon reduction targets and supplier diversity benchmarks. Beyond verification, firms should collaborate with vendors on joint initiatives – such as emission reduction programs or inclusive sourcing strategies – to drive tangible outcomes. Regular audits and transparent reporting to clients reinforce accountability and mitigate reputational risk. By operationalizing these measures, firms can align procurement with long-term sustainability goals while strengthening client trust and competitive positioning.
The reputational math here is asymmetric. A vendor's labor violation or greenwashing claim becomes your story just as quickly as it becomes theirs.
Why Proactive Oversight Now Matters
None of these five risks are new. What's new is the cost of leaving them unmanaged. As the vendor ecosystem grows more complex and client expectations rise, the gap between firms with proactive oversight programs and those still running reactive checklists will become visible — in audit findings, in client conversations, and eventually, in competitive standing.
The firms we see pulling ahead share one characteristic: they stopped treating vendor risk management as a procurement function and started treating it as a firmwide governance capability. That shift — from process to program, from reactive to embedded — is what separates manageable risk from consequential exposure.
If you'd like to discuss where your firm stands on any of these dimensions, reach out to Todd Campbell, Director of Vendor Onboarding and Risk Management at [email protected] or download the full 2026 Procurement Priorities Report for the complete picture.
Next in this series: Why operational process improvement has become procurement's most underleveraged competitive advantage — and what the firms getting it right are doing differently.
- Vendor governance
- Risk management
