Vanta’s 2025 State of Trust report paints a rather clear (and probably not surprising) picture: Risk is surging, expectations are higher than ever, and AI – especially agentic AI – is changing the tempo of security and compliance. Business and IT leaders largely agree that trust is no longer a soft value, but a hard requirement for growth. Yet, they also acknowledge a widening execution gap driven by rising threats, stagnant budgets, and heavy proof burdens that keep teams busy showing their work instead of improving their posture. The report’s bottom line is simple but urgent: The shift from optics to outcomes comes by operationalizing continuous, automated trust.
Across industries, leaders report non-stop threat activity and an unprecedented sense of exposure. Nearly three-quarters of security decision-makers now say overall risk has never been higher, up sharply from last year. That anxiety isn’t theoretical, as more organizations are encountering threats on a daily and weekly basis. That pushes teams into perpetual firefighting mode, accelerating burnout. But, while risks climb, budgets aren’t keeping pace, and security captures roughly half of what leaders say is needed – about 10% of IT dollars, compared to the 17% or so they say is needed – leaving an execution shortfall that can’t be closed with headcount alone.
Within organizations, the pressure to prove trust has outstripped the capacity to improve it. Teams now spend about 10 hours each week on compliance mechanics, like policy reviews, evidence collection, and vendor attestations, which amounts to roughly 12 weeks per year. That’s a full week more than last year. The result is what one might call “security theater,” a constant stream of screenshot-centric attestations and one-off auditor requests that look good on paper but don’t actually lower risk. Leaders have recognized this trap and are increasingly reframing trust as a living system of record – one that automates evidence collection, externalizes real-time assurances, and turns compliance from a periodic event into an always-on capability.
Agentic AI sits at the center of both the problem and the solution. Adoption has been swift and optimism is not only high, but real, and comfort levels with adding autonomy is actually surprisingly high. In fact, most companies are comfortable with AI agents in advisory roles, and many would even allow overrides in tightly constrained, reversible scenarios, like isolating hosts during obvious ransomware behavior. At the same time, governance lags. Fewer than half of organizations using agentic AI have formal frameworks to limit or grant autonomy, leaving a gap between what agents can do and what they should do. That gap carries reputational risk, because, without guardrails, agents can exceed scope, disrupt operations, or mishandle sensitive data, eroding the very trust organizations must build and maintain.
Third-party ecosystems compound these dynamics. Even as two-thirds of organizations claim strong visibility into vendor risk, most still spend as much as nine weeks a year on vendor reviews (that’s up from seven weeks a year ago). Still, despite that effort, vendor incidents are becoming more common, with a majority having experienced a partner breach in the past 6-12 months. More than half terminated a vendor for security reasons during that same period. The implicit lesson is that point-in-time diligence can’t keep pace with dynamic risk. Continuous assurance – live control monitoring, automated evidence exchange, and policy-driven failsafes that can narrow scope or pause data flows when controls degrade – are needed and should replace annual questionnaires if trust and reputation are to be truly solidified.
Collectively, the report’s findings – rising risk, flat budgets, compliance drag, high AI adoption with low control, and expanding third-party exposure – point toward a logical path forward. That roadmap includes treating trust like a product with a roadmap, SLAs, and a public interface (a trust center) that surfaces real-time control health to customers (and auditors). Second, autonomy tiers for agentic AI can be codified (e.g., observe, recommend, act with rollback, and act without rollback), with clear criteria for when and how agents may cross tiers. Additionally, compliance should move from a document workflow into a control plane using machine-verifiable signals and evidence pipelines that can be reused across frameworks, so teams spend less time proving and more time hardening their trust and security postured.
Customers and stakeholders want verified, near-real-time proof of security and compliance, not just promises. Organizations that build trust into their controls, their AI, and their supply chains will shorten deal cycles and differentiate in their competitive markets. Those that cling to manual attestations and fragmented governance will spend more time, resources, and budget every year and, ultimately, will still feel less secure. The winners will be those businesses that show their posture continuously and govern AI confidently.
For MSPs, there’s a growth play here, if they turn trust from a paperwork burden into a productized service their clients can buy, measure, and renew. That means packaging continuous control monitoring, automated evidence pipelines, and a public-facing trust center as a managed offering. That way, customers can answer security questionnaires in days instead of weeks, pass audits with machine-collected proof, and show their own buyers live posture signals. They can then tie this to outcomes and SLAs (time-to-questionnaire, % controls continuously monitored, MTTR, vendor issue containment time), and price it as a tiered “Trust Operations” bundle that scales by automation, not headcount.
MSPs can also layer in a second growth vector around agentic AI and third-party risk by offering an “AI Readiness & Governance” package that installs autonomy tiers, immutable logging, and rollback playbooks, paired with co-managed MDR/XDR where agents handle reversible tasks under guardrails. On the supply-chain side they can sell “Continuous TPRM” that ingests vendor control feeds, auto-narrows data scope when a signal degrades, and pauses risky integrations with a single click. The combination of managed trust operations, governed AI, and live third-party assurance accelerates new customer wins, increases ARPU, and, and improves retention. It’s a win-win proposition.
Edited by
Erik Linask
