Treat the third party as part of the identity model, not as an external exception. Scope its access to the minimum operational task, review what it can initiate or approve, and require explicit offboarding when the service relationship changes. If the provider can touch value, the lifecycle controls must be as strict as for any other high-risk identity.
Why This Matters for Security Teams
Digital-asset custody becomes materially harder the moment a third party can sign, move, approve, or recover value on behalf of the organisation. That provider is not just a vendor account holder; it is part of the trust boundary and must be governed as a high-risk non-human identity. Current guidance suggests treating the provider’s permissions, secrets, and approval paths as lifecycle-managed identity controls, not a procurement afterthought.
This matters because custody failures usually begin with overbroad access, weak offboarding, or opaque delegated workflows. NHI Management Group’s Ultimate Guide to NHIs — Regulatory and Audit Perspectives notes that 92% of organisations expose NHIs to third parties, which turns vendor access into a supply chain issue rather than a narrow admin problem. The same pattern is visible in broader NHI research and in standards such as the NIST Cybersecurity Framework 2.0, which emphasises governance, risk, and access control across all identities.
In practice, many security teams discover custody exposure only after a vendor relationship changes, not through intentional access review.
How It Works in Practice
Security teams should map third-party custodians to the exact actions they can perform, then constrain those actions to the smallest viable operational scope. That includes distinguishing read-only monitoring, transaction preparation, policy approval, recovery, and emergency intervention. If a provider can initiate a transfer, that capability should be explicitly approved, logged, time-bounded, and tied to an accountable owner. The control model is closer to privileged identity governance than to ordinary vendor management.
Use lifecycle controls that mirror high-risk NHI handling: issue only the minimum credentials needed, rotate them on a defined schedule, and revoke them immediately when the relationship, contract, or role changes. The OWASP Non-Human Identity Top 10 is useful here because it frames credential exposure, weak rotation, and over-privilege as repeatable failure modes. Where custody systems support it, prefer short-lived access, just-in-time approval, and workload-scoped tokens over standing secrets. NHI Management Group’s Lifecycle Processes for Managing NHIs aligns with that operational approach: define issuance, review, rotation, and offboarding as mandatory controls, not optional hygiene.
- Bind each third party to a named business purpose and a narrow custody function.
- Separate initiate, approve, and recover permissions so one provider account cannot do all three.
- Require logging on every value-moving action, including failed attempts and policy overrides.
- Revoke access on contract end, incident response, or role change without waiting for manual cleanup.
These controls tend to break down in multi-jurisdiction custody platforms where emergency approval paths, subcontractors, and shared operational consoles make ownership and revocation ambiguous.
Common Variations and Edge Cases
Tighter custody controls often increase operational friction, so organisations have to balance speed against assurance. That tradeoff is especially visible when a provider claims it needs standing access for incident response or market-hours support. Current guidance suggests allowing exceptions only when they are time-limited, documented, and independently reviewable, because permanent emergency access quickly becomes ordinary access in practice.
One common edge case is delegated custody through API integrations rather than interactive admin portals. Those integrations can hide the real identity chain, so the team may think it is managing one vendor when it is actually managing several downstream identities. Another edge case is shared signing infrastructure, where multiple providers contribute to a single approval flow. In those environments, control evidence must show who can initiate, who can approve, and who can override. The breach patterns catalogued in the 52 NHI Breaches Report and the Top 10 NHI Issues both show that the real failure is usually governance drift, not a single technical mistake. In maturity terms, the question is not whether a third party is trusted, but whether its access can be proven, constrained, and removed at the pace the custody risk requires.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Third-party custody depends on controlling long-lived non-human credentials. |
| NIST CSF 2.0 | PR.AC-4 | Third-party access must be limited to authorised, least-privilege custody tasks. |
| NIST AI RMF | Governance should capture accountability and lifecycle oversight for delegated custody decisions. |
Rotate vendor credentials on a strict schedule and revoke them immediately when custody responsibility changes.
