The rise of AI services, rapid software updates and unseen third-party data flows is exposing the limits of annual vendor reviews and static security attestations.