22 seeded vendors scored on security posture, financial health, concentration risk, and data sensitivity. The composite drives the review queue. Critical vendors automatically require quarterly review; low-risk vendors review annually.