Accountability sits with the organisation that granted the access, because the identity, scope, approval, and review process were under its control. Vendor access must be sponsored, recorded, time-bound, and recertified. If those controls are missing, the breach is a governance failure, not only a vendor failure.
Why This Matters for Security Teams
When a vendor’s access contributes to a third-party breach in manufacturing, the accountability question is usually not about who caused the incident first. It is about who controlled the identity lifecycle, approval path, and access review. That control sits with the organisation that granted the access, especially where vendor sessions are long-lived, over-scoped, or poorly monitored. NHIMG research on non-human identity failures shows how quickly exposed credentials turn into active abuse, with attack windows measured in minutes, not days, once secrets are public.
This is why the issue belongs in governance, third-party risk, and access engineering, not only in procurement. The relevant lesson from the 52 NHI Breaches Analysis is that breach outcomes often follow predictable control gaps, not novel attacker tradecraft. Security teams that treat vendor access as a one-time approval tend to miss the real failure point: no sponsor, no expiry, no recertification, and no reliable evidence trail. In practice, many security teams encounter vendor abuse only after production access has already been reused beyond its intended scope.
How It Works in Practice
Accountability follows the control plane. If the manufacturer issued the access, it owned the identity, the policy, and the oversight that should have limited damage. That means the organisation should be able to show who sponsored the vendor, what systems were approved, when access expires, how privilege is reduced, and how recertification happens. The OWASP Non-Human Identity Top 10 is useful here because it frames the operational risks around over-privileged, poorly governed non-human access.
In a manufacturing environment, the practical controls usually include:
- named business sponsorship for every vendor identity or session
- time-bound access with automatic expiry after the work order closes
- role and task scoping so access maps to a specific plant, line, or system
- JIT approval for elevated actions, especially remote diagnostics or OT tooling
- logging and session recording for privileged vendor activity
- scheduled recertification with evidence of business need
For organisations building stronger identity governance, NHIMG’s Ultimate Guide to NHIs — Why NHI Security Matters Now and Ultimate Guide to NHIs — Key Challenges and Risks reinforce the core point: access that cannot be explained, bounded, and reviewed is already a governance defect. Current guidance suggests that third-party access should be treated as a privileged workload, not a convenience exception. These controls tend to break down when legacy OT systems require shared accounts or vendor service windows cannot be cleanly tied to individual identities because attribution becomes ambiguous.
Common Variations and Edge Cases
Tighter vendor control often increases operational overhead, requiring organisations to balance plant uptime against evidence quality and privilege reduction. In manufacturing, that tradeoff becomes visible when production support is urgent, a machine vendor needs emergency diagnostics, or a third party maintains equipment across multiple sites. There is no universal standard for this yet, but best practice is evolving toward stronger sponsorship, shorter access windows, and clearer responsibility for review.
Edge cases matter. If the vendor supplied the compromised account but the manufacturer allowed shared credentials, the manufacturer still shares accountability because it enabled the unsafe model. If a managed service provider administers access on the manufacturer’s behalf, that does not transfer ownership of the risk unless contracts, technical controls, and audit rights explicitly do so. The same logic applies when a breach originates through stolen secrets or unattended API access: the party responsible for granting and reviewing that access remains accountable for the control failure, even if the vendor was the immediate intrusion path. Practitioner teams should also separate legal liability from security accountability, because the two do not always align. That distinction is often clarified only after audit evidence is reconstructed, rather than during access design.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers over-privileged and poorly governed non-human access. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions must be managed and reviewed for third-party users. |
| NIST AI RMF | GOVERN | Accountability depends on clear oversight and ownership of controlled access. |
Bind every vendor identity to least privilege, expiry, and recertification before granting production access.
