TL;DR: Cyber risk is converging around AI-enabled deception, state-aligned operations, third-party exposure, and supply chain fragility in SecurityScorecard’s Q3 2025 coverage, with reporting spanning the STRIKE Threat Intelligence team’s 12-Day War analysis, deepfake campaigns, and enterprise breach commentary. The practical lesson is that cyber risk management now has to treat external dependency, impersonation, and geopolitical spillover as connected governance problems, not separate workstreams.
At a glance
What this is: SecurityScorecard’s Q3 2025 press roundup highlights how AI, state-aligned operations, and third-party risk are reshaping cyber risk management.
Why it matters: For IAM, PAM, and broader security teams, the roundup matters because it shows how external identities, vendor trust, and deceptive AI-driven access patterns are becoming core governance problems.
👉 Read SecurityScorecard’s Q3 2025 press coverage roundup on AI, state actors, and supply chain risk
Context
Cyber risk coverage often looks fragmented because it spans threat intelligence, AI-enabled deception, vendor compromise, and incident reporting. The underlying governance problem is more consistent: organisations still struggle to understand which external systems, suppliers, and identities can be trusted, especially when attackers use legitimate access paths or convincing impersonation. That gap is most visible in programmes that already have to manage IAM, PAM, and non-human identity exposure across suppliers and cloud services.
This SecurityScorecard roundup is useful because it ties together several pressure points that security leaders are already feeling. State-aligned cyber operations, deepfake-enabled influence, and supplier-driven breach propagation all increase the importance of identity-centric controls, even when the original story is framed as geopolitical or operational risk. In that sense, the article is less a set of publicity notes than a signal that cyber risk is becoming more entangled with trust management across organisations and their ecosystems.
Key questions
Q: How should security teams reduce fraud when attackers use deepfakes and synthetic identities?
A: They should combine document validation, liveness detection, behavioural analytics, and risk-based step-up checks rather than relying on a single identity proofing event. Deepfakes and synthetic identities are strongest when a programme trusts one signal too much. The goal is to make spoofed evidence fail across multiple independent checks before approval.
Q: Why do third-party connections increase breach exposure?
A: Third-party connections increase exposure because they extend your trust boundary into another organisation's identity controls. If vendor accounts, OAuth apps, or shared integrations keep standing access, an attacker can pivot through them without breaching the primary environment first. The risk grows when ownership is unclear and offboarding is weak, because access outlives the relationship that justified it.
Q: What do organisations get wrong about AI-driven cyber risk?
A: They often assume the main change is autonomous attackers, when the immediate change is faster and more variable abuse of existing identity pathways. That mistake pushes attention toward speculative defenses instead of scoped access, strong telemetry, and response readiness. The operational risk is already here, even if full autonomy is not.
Q: How can organisations tell if their external access model is too broad?
A: A broad external access model usually shows up when teams cannot quickly answer which suppliers, tokens, and non-human accounts still have access, why they have it, and who owns revocation. If access reviews are delayed, manual, or disconnected from offboarding, the model is already too broad. Visibility and lifecycle ownership are the key signals.
Technical breakdown
State-aligned operations and the trust chain
State-aligned cyber activity is usually operationally disciplined rather than noisy. It often combines reconnaissance, social engineering, infrastructure abuse, and opportunistic exploitation of existing trust relationships. In practice, this means the defender is not just blocking malware but trying to understand how legitimate channels, third-party relationships, and credential pathways can be weaponised inside an active campaign. That shifts attention from perimeter-only thinking to the integrity of the access chain itself, including supplier access, identity validation, and approval workflows.
Practical implication: Map critical supplier and privileged access paths to the points where an adversary could turn legitimate trust into access.
AI-enabled deception and human identity verification
Deepfake-enabled influence campaigns do not require technical compromise to succeed. They exploit the human layer by manufacturing credibility at the moment a decision is being made, whether that decision is to approve a transfer, disclose information, or reset access. For security and IAM teams, this is a verification problem as much as a threat problem. If the organisation relies on voice, video, or message authenticity without stronger corroboration, it creates a weak point where impersonation can bypass normal scrutiny and lead to account or financial compromise.
Practical implication: Add out-of-band verification for sensitive approvals and do not treat synthetic media as a low-probability edge case.
Third-party exposure and non-human identity governance
Third-party risk increasingly intersects with non-human identity governance because suppliers connect through OAuth apps, API keys, service accounts, and other machine credentials. Those connections are often provisioned for convenience and then left with far broader scope than intended. When visibility is partial, organisations cannot reliably tell which vendor relationships still exist, which credentials are active, or where access should be withdrawn. That makes external identity lifecycle management a security control, not an administrative cleanup task.
Practical implication: Inventory external access by credential type and lifecycle stage, then tie offboarding to explicit revocation rather than informal vendor notice.
Threat narrative
Attacker objective: The objective is to convert trusted access and believable deception into operational disruption, intelligence collection, or downstream compromise across multiple organisations.
- Entry begins through trusted relationships, exposed credentials, or AI-enabled impersonation that lowers the defender’s normal skepticism.
- Escalation occurs when legitimate access, supplier trust, or human approval is used to widen the attacker’s reach beyond the original foothold.
- Impact follows as the actor disrupts operations, steals data, or amplifies influence through supply chain propagation, misinformation, or state-aligned targeting.
NHI Mgmt Group analysis
State-aligned cyber operations are now a governance problem, not only a threat-intelligence problem. The quarter’s coverage shows how conflict-driven campaigns blend technical intrusion with strategic targeting, making supplier trust, identity assurance, and response coordination part of the same control surface. For security leaders, the implication is that geopolitically motivated activity must be reflected in access governance and resilience planning, not just in intelligence briefings.
Deepfake-enabled influence creates a verification trust gap that many identity programmes still underweight. When convincing synthetic audio or video can trigger an exception, the control failure is rarely cryptographic. It is a governance failure around who can authorize what, on which channel, and with what corroboration. That is why identity verification, workflow assurance, and approval design now belong in the same discussion. Practitioners should treat synthetic media risk as a control design issue, not a communications problem.
Third-party and non-human identity exposure are converging into the same external trust surface. Suppliers increasingly connect through OAuth apps, API keys, tokens, and service accounts, which means vendor risk is also identity lifecycle risk. This roundup reinforces a named concept we see repeatedly: external trust sprawl. It describes the accumulation of vendor, machine, and delegated access that no longer has a clear owner or expiry. Practitioners should use that lens to find where access outlives the business need.
AI is accelerating both attacker speed and defender ambiguity. The coverage around AI in cybersecurity is not just about tooling adoption. It is about faster deception, broader content generation, and more credible operational narratives that can overwhelm manual review. That changes how teams should think about detection, triage, and human escalation paths. The lesson is to harden decisions that depend on trust, not to assume more AI will automatically reduce risk.
Acquisition and partnership news in this category signals market pressure toward broader risk platforms. The SecurityScorecard roundup sits alongside company news because the market is moving toward aggregation of controls, data, and workflow. For practitioners, that should trigger a re-evaluation of where supplier risk, compliance automation, and identity governance sit in the operating model. The practical conclusion is to test whether your current control stack still gives you lifecycle visibility across both human and non-human external access.
What this signals
AI-assisted deception is pushing identity programmes toward stronger verification at the point of decision, not just at login. That means security teams need to connect human identity controls, privileged workflows, and supplier trust decisions more tightly, especially where approvals can trigger access or money movement. The programme question is no longer whether AI can deceive people, but whether your process can still prove who authorised what.
External trust sprawl: supplier access, delegated permissions, and machine credentials are now part of the same exposure surface. Once that surface cannot be enumerated cleanly, offboarding, audit, and exception management all lose precision. Security leaders should expect more pressure to show lifecycle visibility across non-human access as part of broader resilience and third-party risk oversight.
For practitioners
- Reassess external trust paths Build a living inventory of supplier connections, delegated permissions, and externally issued machine credentials. Focus on OAuth apps, API keys, and service accounts that can operate without active human oversight, then classify them by business owner, expiry, and revocation path.
- Strengthen approval verification for high-risk requests Require out-of-band confirmation for payments, credential resets, policy exceptions, and access changes that could be triggered by deepfake-assisted impersonation. Make the control explicit in playbooks so the verification step is consistent under pressure.
- Tie supplier offboarding to credential revocation When a vendor relationship ends, revoke tokens, rotate shared secrets, disable unused accounts, and remove OAuth grants as part of the same workflow. Do not rely on contractual offboarding or email confirmation to close the access loop.
- Test incident response against geopolitical spillover scenarios Run exercises that assume a supplier compromise, state-aligned targeting, or coordinated influence campaign, then examine how quickly security, legal, communications, and identity teams can agree on containment. Include third-party access cuts and privilege suspension in the scenario.
Key takeaways
- The quarter’s coverage shows cyber risk, AI deception, and third-party exposure converging into one governance problem rather than separate categories.
- When supplier access, state-aligned operations, and deepfake-enabled influence interact, the control gap is usually verification and lifecycle visibility, not detection alone.
- Security teams should treat external trust paths as identity assets that require ownership, expiry, and revocation discipline.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack surface, NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, and ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| MITRE ATT&CK | TA0006 , Credential Access; TA0008 , Lateral Movement | The roundup highlights credential abuse, supplier trust, and expansion paths seen in real campaigns. |
| NIST CSF 2.0 | PR.AC-4 | Third-party access and approvals are central to the trust gaps discussed in the article. |
| NIST SP 800-53 Rev 5 | IA-5 | The article repeatedly points to exposed and delegated credentials across external systems. |
| CIS Controls v8 | CIS-5 , Account Management | Vendor and machine accounts need ownership, review, and timely deprovisioning. |
| ISO/IEC 27001:2022 | A.5.19 | Supplier relationships and shared responsibilities are a core theme in the roundup. |
Map supplier and external-access scenarios to TA0006 and TA0008, then tighten monitoring around delegated credentials.
Key terms
- Exchange Trust Sprawl: The gradual accumulation of fragmented verification, privilege, and monitoring controls across a crypto platform. It creates blind spots because the same customer or operator can be governed differently across regions, systems, or workflows, making assurance harder and fraud easier to exploit.
- Deepfake-based impersonation: A fraud technique that uses synthetic audio, video, or both to make an attacker appear to be a trusted person during a live interaction. The tactic exploits human trust in familiar cues and often aims to trigger urgent actions such as payments, resets, or access changes before verification is challenged.
- Non-Human Identity: A non-human identity is any digital identity used by software, services, automation, or machines rather than people. Examples include API keys, tokens, certificates, service accounts, and AI agents. These identities need lifecycle governance because they often persist, replicate, and overreach faster than human accounts.
What's in the full article
SecurityScorecard’s full press coverage roundup covers the operational detail this post intentionally leaves for the source:
- Specific TV and podcast appearances with the exact cybersecurity themes each executive discussed.
- The underlying STRIKE Threat Intelligence report context on the 12-Day War between Iran and Israel.
- Coverage-by-region details across North America, EMEA, and APAC that show how the quarter’s themes were picked up in different markets.
- Company news on the HyperComply acquisition and the Uniqus partnership, including the business context around those moves.
Deepen your knowledge
NHI Mgmt Group offers the NHI Foundation Level course, the industry's only accredited NHI security programme, covering NHI governance, machine identity security, and secrets management. It is designed for practitioners who need to turn identity risk into operating controls across modern security programmes.
Published by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org