There is a gap opening up in the enterprise AI market, and most procurement and compliance leaders haven’t spotted it yet.

AI in procurement is no longer experimental. Across source-to-pay, finance, and third-party risk, vendors are shipping AI capabilities at pace: conversational interfaces, workflow automation, spend analytics, supplier monitoring. The market is moving fast, and the pressure on compliance and procurement teams to adopt is real.

But The Hackett Group’s 2026 AI Solution Providers report, a structured survey of 65 enterprise software providers conducted in late 2025, reveals something that should give compliance leaders in regulated industries pause. The market racing toward AI-powered procurement is, by its own admission, building technical capability faster than it is building the governance foundations required to deploy it responsibly.

For organisations navigating DORA, the EU AI Act, EBA third-party risk guidelines, or supply chain due diligence obligations, that gap is not a future concern. It is a present-tense risk hiding inside vendor sales decks that lead with capability and bury governance in a roadmap slide.

Three data points from the Hackett research tell the story.

Compliance is now the #1 rising topic in AI procurement. The market is finally catching up to what regulated industries have always known.

The Hackett Report includes a keyword analysis tracking how enterprise software providers describe their AI capabilities, comparing 2024 and 2025 narratives. “Compliance” recorded the second-largest year-on-year increase of any term; up 49 points, moving from a background theme to one of the defining topics in how vendors position their AI.

This is not a surprise to anyone who has spent time in procurement or third-party risk management in a regulated industry. Compliance has always been the job. What’s changed is that the rest of the market is finally saying so out loud.

But there is a meaningful difference between compliance as a marketing theme and compliance as a design principle. The report draws the distinction clearly, noting a shift in vendor positioning from “general risk visibility toward embedded compliance controls within operational workflows.” Earlier AI compliance software descriptions emphasised monitoring: surfacing risk indicators, flagging anomalies, generating alerts. More recent positioning describes compliance logic that activates within execution: invoice coding validation, expense policy enforcement, AP compliance checks, fraud detection built into the transaction itself.

That shift in language reflects a genuine maturation in thinking. A monitoring layer tells you when something went wrong. An embedded compliance control prevents it from completing, or routes it correctly before it creates exposure. For procurement leaders operating in regulated environments, the distinction is not semantic. It is the difference between a compliance function that reports and one that enforces.

The problem is that for many vendors, the shift in language has outpaced the shift in architecture. Compliance is the trending topic. The platforms claiming it as a priority were not all built with compliance as a founding constraint. For buyers evaluating AI compliance software, the right question is not whether a vendor has compliance in their messaging. In 2026, they all do. The right question is where in the workflow compliance logic actually sits: upstream, embedded in the decisions that matter, or downstream, reviewing outcomes that have already been reached.

For procurement and compliance leaders in financial services, energy, pharmaceuticals, or any sector facing third-party risk regulation, that question should be the first one on the evaluation list, not the last.

Only 11% of AI Procurement Platforms are truly Agentic-Native. For Third-Party Risk Management, that number explains a lot.

The Hackett report’s breakdown of solution architecture models is one of the most practically useful findings in the research. Providers were asked to classify their overall AI approach:

• 64% are established SaaS platforms embedding AI capabilities
• 15% are agentic AI solutions managing data within their own SaaS environment
• 11% are fully agentic-AI-native solutions operating on customer systems of record
• 11% offer an agentic workforce model delivering managed services and outcomes

The dominant model, held by nearly two thirds of the market, is an existing SaaS application with AI added. This is not a criticism. It reflects the practical reality of enterprise software development, and for many procurement use cases it is a workable approach. Spend analytics, guided buying, AP automation: these are largely self-contained processes where AI can add value within the boundaries of a single application.

Third-party risk management is not that kind of problem.

TPRM is continuous, cross-functional, and deeply interconnected. A supplier’s risk profile at onboarding is not the same as their risk profile eighteen months into a live contract. A change in their financial stability has implications for open contractual obligations, pending renewals, regulatory exposure, and escalation paths. The data that drives effective third-party risk management software lives across ERP systems, contract repositories, supplier portals, external risk feeds, and regulatory databases and the relationships between that data shift constantly.

An AI capability built inside a single-module SaaS platform can optimise the tasks within that module. What it cannot do is reason across the full third-party lifecycle in context, connecting a monitoring signal to a contractual obligation to a regulatory deadline to the right human action, automatically, without requiring someone to manually triangulate across systems.

That is what agentic AI procurement architecture is actually for. The chatbot interface is not the differentiator: 74% of providers already have basic conversational agents in production, and that capability has become table stakes. The meaningful differentiation is whether the underlying platform is designed to support connected reasoning across the full supplier lifecycle, or whether agentic capabilities are being layered onto a data model that was never built for cross-functional orchestration.

The Hackett report is measured in its language here, noting that “fully agentic architectures and AI workforce models are emerging, but they remain a minority approach across the provider landscape.” But it also draws the implication clearly: organisations evaluating AI solutions “must first understand the solutions’ underlying architecture and how they will evolve.”

For third-party risk leaders, this is the evaluation question that the 64% majority of the market would prefer you didn’t ask. An AI feature added to a supplier management module is not the same as a platform built to manage the interconnected risk, compliance, and contractual dimensions of third-party relationships from the ground up. The 11% figure tells you how rare the latter actually is.

Brooklyn Solutions sits in that minority. Our platform connects CLM, Supplier Experience Management, Third-Party Risk Management, and GRC not as separate modules with integration points, but as a unified data environment where a change in any dimension; a supplier’s risk score, a contract clause, a regulatory threshold, propagates across the full picture. That architecture is not a roadmap commitment. It is how the platform was built, because it is the only architecture that makes AI genuinely useful for the compliance and risk problems our customers are trying to solve.

Governance Is the Most Underbuilt Layer in Enterprise AI. For Regulated Industries, That Is the Gap That Will Cause Real Damage.

The third finding from the Hackett research is the one that should concern compliance leaders most directly, and it is the one least likely to appear prominently in a vendor’s sales materials.

The report evaluates provider maturity across the foundational layers required to operate AI effectively in an enterprise context: technology, agentic capability, governance, people, and strategic alignment. The technology layer scores highest: 70% of providers report full built-in support. Governance scores significantly lower. Only 50% of providers report full built-in support at the governance layer, with 27% offering only partial enablement through configuration or add-on capabilities.

The report’s interpretation is direct: “Technical AI capabilities are developing faster than enterprise-wide readiness in governance, people’s enablement and strategic integration.”

This is the pattern that has characterised every major wave of enterprise technology adoption. Capability arrives first. Governance follows. For most software categories, the lag is manageable. Organisations adopt incrementally, governance frameworks mature alongside the technology, and the gap closes before it causes serious harm.

For organisations deploying AI in regulated procurement and third-party risk contexts, the sequencing cannot work that way. DORA requires financial entities to document ICT third-party dependencies, conduct structured risk assessments, demonstrate operational resilience, and maintain oversight and exit capabilities. Regulatory examination dates are not waiting for vendor roadmaps. The EU AI Act introduces transparency, human oversight, and explainability requirements for AI systems deployed in high-risk contexts that are conditions of deployment, not aspirational future states. Supply chain due diligence legislation across multiple jurisdictions requires organisations to demonstrate not just that third-party risk management is happening, but that it is happening to a documented and auditable standard.

An AI platform with governance as a configuration option or an add-on capability is not deployable in these contexts without significant additional work. That work typically falls to the compliance team, not the vendor. A 50% governance readiness rate across the market means that roughly half of the AI procurement platforms currently being sold to regulated industries require their buyers to build the governance layer themselves.

This is where the compliance-as-trending-topic problem becomes concrete. Vendors have updated their messaging to lead with compliance. A significant portion

The Gap the Hackett Data Exposes Is Real, and It Is Widening

Compliance is the fastest-rising priority in AI procurement. The majority of platforms claiming it as a priority were not built with compliance as a founding constraint. Truly Agentic-Native architecture, the kind required to support connected reasoning across the third-party lifecycle, represents 11% of the market. Governance, the layer that makes AI deployable in regulated environments, is fully built in at only half of providers.

For procurement and compliance leaders in regulated industries, these are not abstract market observations. They are a description of the evaluation problem you are facing: a market where capability messaging has outrun architectural reality, and where the gap between the two is most consequential for exactly the organisations most likely to be buying.

The right response is not to slow down on AI adoption. The capability gains available in third-party risk management, contract intelligence, supplier monitoring, and compliance workflow automation are real, and the competitive and regulatory pressure to capture them is not going away. The right response is to ask harder questions earlier in the evaluation process: about architecture, about governance readiness, and about where compliance logic actually sits in the platform you are being sold.