Subscribe to the Non-Human & AI Identity Journal

Scope Definition

Scope definition is the process of deciding which third parties are included in a risk programme and how deeply they are reviewed. Good scope is based on access, integration, and impact, not on vendor count, so limited resources can be applied where the exposure is highest.

Expanded Definition

Scope definition is the boundary-setting step that determines which third parties enter a risk programme, how much evidence is gathered, and how intensive the review should be. In security practice, the term is often used in vendor risk management, due diligence, and ongoing monitoring, but the same logic applies wherever limited controls must be focused on the relationships that can actually affect confidentiality, integrity, or availability.

Good scope is risk-based rather than inventory-based. A large vendor list does not automatically mean a large exposure, and a small supplier can still be in scope if it has production access, API integration, administrative privileges, or business-critical dependency. That distinction matters because scope definition shapes the depth of questionnaires, contract review, technical validation, and remediation follow-up. For identity-heavy environments, scope also reaches beyond human users to OWASP Non-Human Identity Top 10 concerns such as service accounts, API keys, and workload credentials tied to third-party platforms.

Definitions vary across vendors and industries on whether scope should include indirect subcontractors, shadow IT relationships, and low-risk processors, so organisations need a clearly documented policy rather than an implied rule set. The most common misapplication is treating scope as a static vendor count, which occurs when teams classify suppliers by contract list alone and ignore actual access, integration paths, and operational impact.

Examples and Use Cases

Implementing scope definition rigorously often introduces triage overhead, requiring organisations to balance review depth against speed, staffing, and business continuity.

  • A cloud payroll provider is placed in high scope because it processes employee records, connects to identity systems, and can affect authentication or access workflows.
  • A marketing SaaS tool is kept in lower scope when it has no privileged access, no sensitive data transfer, and no trusted integration into core systems.
  • A managed service provider is escalated for enhanced review because its remote administration path creates privileged access and broad blast-radius potential.
  • A payment processor is scoped tightly under contractual and security review because cardholder data handling triggers regulatory and control obligations that map to NIST Cybersecurity Framework 2.0 governance expectations.
  • An AI vendor that supports customer service is reviewed for model access, prompt handling, and secret exposure when agentic workflows depend on third-party APIs and tokens.

In practice, scope definition also helps determine which evidence is proportionate: a simple attestation may be enough for a low-impact supplier, while a privileged integrator may require architecture review, incident history, and control testing. This is especially important where third parties introduce identity sprawl through shared credentials, delegated access, or unmanaged machine identities. For those cases, NIST Cybersecurity Framework thinking is often used to align review depth with business impact.

Why It Matters for Security Teams

Security teams rely on scope definition to avoid wasting assurance effort on low-exposure relationships while missing the few suppliers that can create real operational or identity risk. If scope is too narrow, privileged integrations, hidden sub-processors, and non-human identities may never be reviewed. If scope is too broad, teams burn time on low-value assessments and delay action where risk is concentrated.

That balance matters because scope drives everything that follows: onboarding checks, evidence collection, contract clauses, exception handling, and reassessment cadence. It also affects how organisations respond when a third party is compromised, since a poorly defined scope can leave unknown dependencies outside monitoring until an incident forces discovery. For teams building identity controls around external access, the same principle applies to Zero Trust Architecture and privileged access decisions: the question is not how many vendors exist, but which ones can actually reach something valuable.

Organisations typically encounter the cost of poor scope definition only after a supplier breach, an audit challenge, or an access review failure, at which point scope becomes operationally unavoidable to correct.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while ISO/IEC 27001:2022, DORA and NIS2 define the regulatory obligations.

Framework Control / Reference Relevance
NIST CSF 2.0 GV.SC Supply chain risk management defines how third parties are identified and governed in scope.
NIST SP 800-53 Rev 5 SR-3 Supply chain controls require defined boundaries for supplier selection and oversight.
ISO/IEC 27001:2022 A.5.23 Information security for use of cloud services depends on scoped supplier governance.
DORA Article 28 ICT third-party risk management requires identifying in-scope providers and dependencies.
NIS2 Article 21 Risk management measures rely on understanding which external services affect essential operations.

Include only materially relevant providers in scope, then prioritize controls by impact.