Subscribe to the Non-Human & AI Identity Journal

Third-Party Application Risk

Third-party application risk is the exposure created when external platforms or delegated services hold sensitive data or connect to critical workflows. The risk is not limited to vendor security. It also depends on how much access the organisation granted and whether that access is still appropriate.

Expanded Definition

Third-party application risk is not just a vendor due diligence problem. In NHI security, it is the exposure created when an external application, integration, plugin, or delegated service can reach secrets, data, or workflows that matter to the organisation. The key question is not only whether the third party is secure, but whether the access granted to it is still necessary, proportionate, and bounded.

This risk often shows up through OAuth grants, API keys, service accounts, marketplace apps, and automation hooks that are trusted far beyond their original purpose. Industry usage is still evolving, but the strongest NHI framing treats third-party applications as identity-bearing actors with measurable permissions, refresh paths, and revocation requirements. That is why guidance in the OWASP Non-Human Identity Top 10 aligns closely with access minimisation and credential hygiene rather than vendor questionnaires alone.

At NHI Management Group, the practical distinction is simple: a secure vendor can still become a risk if its application tokens are over-scoped, long-lived, or poorly monitored. The most common misapplication is treating third-party application risk as a one-time procurement check, which occurs when organisations fail to review ongoing access after installation or integration.

Examples and Use Cases

Implementing third-party application controls rigorously often introduces operational friction, requiring organisations to balance automation speed against tighter approval, logging, and revocation discipline.

  • A SaaS productivity app receives read and write access to shared mailboxes, then continues syncing after the business owner has stopped using it.
  • A CI/CD integration stores deployment tokens that can modify production infrastructure, creating a hidden path from the app into critical workflows.
  • An AI coding assistant connects to source control and package repositories, then inherits broad repository visibility through delegated OAuth consent, a pattern often discussed in supply chain incidents like the Reviewdog GitHub Action supply chain attack.
  • A marketplace plugin is approved for a narrow business function, but the installation later persists with access to customer data and administrative APIs long after the original owner changes roles.
  • A delegated analytics platform can export reports and read records, yet there is no documented offboarding process to remove its credentials when the contract ends.

These situations are frequently illustrated by real-world compromise paths such as the Klue OAuth Supply Chain Breach and broader patterns in the 52 NHI Breaches Report, where delegated access became the bridge from one compromised application into many downstream environments.

Why It Matters in NHI Security

Third-party application risk matters because these integrations behave like non-human identities in practice, even when teams describe them as “just an app.” If they hold secrets, persistent tokens, or broad delegated permissions, they can bypass the protections applied to human users and become durable access paths into data, automation, and production systems. That makes revocation, scoping, and monitoring core security controls, not optional housekeeping.

NHI Management Group research shows that 92% of organisations expose NHIs to third parties, raising direct supply chain security concerns. That exposure matters because the harm often comes from stale access and over-privileged integrations, not only from a vendor breach. The Ultimate Guide to NHIs also shows that 97% of NHIs carry excessive privileges, which helps explain why third-party application access so often becomes larger than intended. For governance, the NIST Cybersecurity Framework 2.0 reinforces the need to identify, protect, detect, and respond across these delegated relationships.

Organisations typically encounter the operational consequences only after a token leak, unauthorized data export, or supply chain incident, at which point third-party application risk becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207), NIST SP 800-63 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-02 Covers improper secret and token handling in third-party integrations.
NIST CSF 2.0 PR.AA Identity and access management governs delegated app permissions and monitoring.
NIST Zero Trust (SP 800-207) SC-0 Zero Trust requires continuous verification of every application trust relationship.
NIST SP 800-63 Digital identity assurance informs how delegated access and authenticator strength are evaluated.
NIST AI RMF AI systems often rely on third-party apps and connectors that expand operational and security risk.

Use assurance-based controls when approving app-to-app access and rotate credentials on a defined cadence.