Subscribe to the Non-Human & AI Identity Journal

What do security teams get wrong about third-party access after a relationship ends?

They often remove the named user but leave behind inherited entitlements, shared secrets, or support pathways that still work. Offboarding has to remove the credentials, the sessions, and the trust links that made access possible in the first place. Otherwise the vendor relationship outlives the business need.

Why This Matters for Security Teams

Third-party access rarely ends cleanly. Security teams often focus on the named account and miss the controls that keep the relationship alive: OAuth grants, shared service accounts, API keys in automation, cached sessions, and delegated support paths. That leaves a vendor able to reconnect long after the contract, the ticket, or the onboarding record says access is gone.

This is not a narrow hygiene issue. The Ultimate Guide to NHIs shows that only 20% of organisations have formal processes for offboarding and revoking API keys, while 92% expose NHIs to third parties. In the same risk category, OWASP’s OWASP Non-Human Identity Top 10 treats weak lifecycle control as a direct attack path, not an administrative afterthought. When offboarding is incomplete, the business relationship ends on paper but the technical trust link remains active in production.

Practitioners also underestimate how often third-party access is embedded in workflow rather than a single login. A vendor may have SSO access, but also a token in CI/CD, a robot account in a ticketing system, or a standing webhook into a support queue. In practice, many security teams encounter continued vendor access only after an incident or a contract dispute, rather than through intentional offboarding.

How It Works in Practice

Effective third-party offboarding has to remove every identity artifact tied to the relationship, not just the human principal. That means revoking OAuth consent, deleting or rotating shared secrets, disabling service accounts, terminating active sessions, and removing trust relationships from apps, brokers, and automation pipelines. The most reliable model is to treat third-party access as a non-human identity lifecycle problem, because the real risk often sits in the machine credential, not the named user.

Operationally, teams should map vendor access across business systems, then validate which entitlements are inherited through groups, app roles, delegated admin rights, or partner integrations. The 52 NHI Breaches Analysis is useful here because it shows how often compromise follows reusable credentials and weak lifecycle governance. NIST control guidance in NIST SP 800-53 Rev 5 Security and Privacy Controls supports this approach through account management, access revocation, and audit logging requirements.

  • Inventory every third-party identity, including API keys, bot accounts, and delegated OAuth apps.
  • Revoke standing access first, then rotate any shared secrets or certificates tied to the vendor.
  • Close support channels and temporary exceptions that bypass normal approval flows.
  • Verify revocation in logs and authentication telemetry, not just in ticket closure.

Current guidance suggests offboarding should be verified against real authentication paths, because certificate chains, cached refresh tokens, and partner-managed integrations can keep working even after the visible account is disabled. These controls tend to break down in federated SaaS estates with shadow IT, where the organization cannot fully enumerate every delegated app or downstream token issuer.

Common Variations and Edge Cases

Tighter third-party offboarding often increases operational overhead, requiring organisations to balance rapid vendor removal against business continuity and support obligations. That tradeoff becomes sharper when a vendor runs managed services, shares infrastructure with internal teams, or owns a critical integration that cannot be cut immediately without downtime.

There is no universal standard for every exception scenario yet. Current best practice is to apply time-bound, ticketed exceptions with explicit expiry, compensating monitoring, and a documented owner. That is especially important for long-lived integrations where the vendor never logs in interactively, because the access may be carried entirely by machine credentials, not a human session.

NHIMG’s State of Non-Human Identity Security reports that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which explains why offboarding often misses the hidden trust path. For this reason, guidance should extend beyond the human relationship to the supporting identity fabric. In environments with M&A activity, outsourced operations, or multi-tenant admin consoles, the cleanup problem is broader than account deletion because inherited entitlements can survive in shared tenancy boundaries and cross-tenant admin roles.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-01 Directly addresses lifecycle cleanup and lingering non-human access after offboarding.
CSA MAESTRO AC-2 Relevant to governing third-party agent and integration access across its full lifecycle.
NIST AI RMF GOVERN Supports accountability for third-party AI-enabled access and offboarding decisions.
NIST CSF 2.0 PR.AC-4 Aligns with least-privilege access removal and periodic authorization review.

Revalidate third-party privileges on a schedule and remove anything no longer required.