diff --git a/apps/api/src/vendors/vendors.service.ts b/apps/api/src/vendors/vendors.service.ts
index ae1a2acb3..755e44541 100644
--- a/apps/api/src/vendors/vendors.service.ts
+++ b/apps/api/src/vendors/vendors.service.ts
@@ -600,9 +600,13 @@ export class VendorsService {
   ) {
     try {
       // First check if the vendor exists in the organization
-      await this.findById(id, organizationId);
+      const existing = await this.findById(id, organizationId);
 
-      if (updateVendorDto.assigneeId) {
+      // Only validate assignee when it's actually changing
+      if (
+        updateVendorDto.assigneeId &&
+        updateVendorDto.assigneeId !== existing.assigneeId
+      ) {
         await this.validateAssigneeNotPlatformAdmin(updateVendorDto.assigneeId, organizationId);
       }
 
diff --git a/apps/app/src/trigger/tasks/onboarding/generate-vendor-mitigation.ts b/apps/app/src/trigger/tasks/onboarding/generate-vendor-mitigation.ts
index e1aa5776b..f33fd95e9 100644
--- a/apps/app/src/trigger/tasks/onboarding/generate-vendor-mitigation.ts
+++ b/apps/app/src/trigger/tasks/onboarding/generate-vendor-mitigation.ts
@@ -44,12 +44,19 @@ export const generateVendorMitigation = task({
 
     await createVendorRiskComment(vendor, policies, organizationId, authorId);
 
-    // Mark vendor as assessed and assign to owner/admin
+    // Mark vendor as assessed and assign to author (unless they're a platform admin,
+    // since platform admins are hidden from the assignee UI and would block future updates)
+    const author = await db.member.findFirst({
+      where: { id: authorId, organizationId },
+      include: { user: { select: { role: true } } },
+    });
+    const assigneeId = author?.user.role === 'admin' ? null : authorId;
+
     await db.vendor.update({
       where: { id: vendor.id, organizationId },
       data: {
         status: VendorStatus.assessed,
-        assigneeId: authorId,
+        assigneeId,
       },
     });