TL;DR: The shift from periodic third-party assessments to continuous, threat-informed supply chain security took center stage at the Odyssey 2026 conference in Miami, with nearly 300 CISOs and risk leaders discussing real-time operations, nation-state pressure, and automation, according to SecurityScorecard. The operating model is moving from checkbox review toward evidence-driven vendor oversight, where timing and context matter more than annual scorecards.
At a glance
What this is: SecurityScorecard’s Odyssey 2026 highlighted a move from periodic third-party assessments to continuous, threat-informed supply chain risk operations.
Why it matters: That shift matters because supplier risk now has direct identity, access, and operational resilience consequences when shared vendors become shared attack paths.
By the numbers:
- 300 CISOs, 0 CISOs, security operations leaders, and third-party risk management professionals attended Odyssey in Miami on January 26-27.
- 90% of companies rely on software and services from roughly 150 third-party providers.
- Odyssey brought together nearly 300 CISOs, security operations leaders, and third-party risk management professionals in Miami on January 26-27.
- SecurityScorecard says 90% of companies rely on software and services from roughly 150 third-party providers.
👉 Read SecurityScorecard's Odyssey 2026 coverage of continuous supply chain risk operations
Context
Supply chain security fails when organisations treat vendor risk as a periodic paperwork exercise instead of a live operational problem. In environments where many suppliers share the same platforms, a weakness in one provider can become a downstream exposure for dozens or hundreds of customers.
For identity and access teams, the governance issue is not only supplier assurance but also the access relationships embedded in those suppliers' environments. Continuous monitoring becomes more relevant when third-party access, service accounts, and delegated workflows can change faster than annual reviews.
Odyssey 2026 reflected a typical enterprise problem set rather than an outlier: large vendor ecosystems, board scrutiny, and pressure to replace static assessments with evidence-driven oversight.
Key questions
Q: How should security teams govern supplier access in continuous third-party risk programmes?
A: Security teams should treat supplier access as part of the identity lifecycle, not as a static vendor attribute. That means inventorying supplier-held accounts, keys, and federated access; reviewing privilege scope continuously; and revoking access when the business relationship or risk posture changes. The control objective is current enforcement, not annual confirmation.
Q: Why do periodic vendor assessments fail against supply chain threats?
A: Periodic assessments fail because they capture a point in time, while supplier environments, privileges, and exposures change continuously. Attackers only need one window of weakness, but annual review cycles leave long periods where a supplier can drift outside approved posture without detection. Continuous monitoring closes that timing gap.
Q: What do organisations get wrong about third-party risk scores?
A: They often treat scores as a decision rather than a signal. A score can help prioritise, but it does not prove the supplier has current controls, active monitoring, or the ability to support the business safely. Practitioners need to combine scores with access scope, threat context, and evidence freshness.
Q: Who is accountable when a supplier compromise affects downstream customers?
A: Accountability is shared, but the customer remains responsible for governing the access it allows and the monitoring it performs. Regulators and auditors will expect evidence of supplier due diligence, lifecycle control over third-party access, and timely response when conditions change. Contract language does not replace operational accountability.
Technical breakdown
Why periodic vendor assessments fail in shared dependency chains
Periodic third-party assessments assume the security state of a supplier remains stable between review cycles. That assumption breaks when suppliers change tooling, personnel, privileges, or exposed services continuously. In shared dependency environments, one provider can become a distribution point for risk across many customers, so a once-a-year scorecard cannot represent the current attack surface. Continuous monitoring adds temporal context, which is essential when attacker dwell time can be shorter than assessment cadence.
Practical implication: replace review-only supplier governance with continuous evidence collection on access, exposure, and control drift.
How threat-informed TPRM connects intelligence to control decisions
Threat-informed third-party risk management links observed adversary activity to supplier prioritisation, rather than treating all vendors as equal. The operational value comes from pairing external threat intelligence with internal vendor criticality, access scope, and business dependency. That allows security teams to escalate monitoring when an exposed supplier has direct operational reach, privileged integrations, or data pathways into the enterprise. Without that linkage, risk scoring becomes descriptive instead of decision-making.
Practical implication: combine threat intelligence with supplier access maps so the highest-risk vendors receive the fastest review and response.
Where identity governance intersects with supplier security
Third-party risk becomes an identity problem when suppliers hold service accounts, API keys, federated access, or support credentials inside customer environments. Those identities often sit outside normal joiner-mover-leaver processes and may not be captured in standard access reviews. If offboarding, rotation, or privilege reduction is not governed continuously, supplier access can persist long after the business relationship or threat posture has changed. This is where NHI governance and TPRM converge.
Practical implication: inventory supplier-issued and supplier-managed identities separately from human access and review them on a lifecycle basis.
Threat narrative
Attacker objective: The attacker aims to turn one compromised supplier into access, persistence, or disruption across several downstream organisations.
- Entry begins with a trusted supplier or shared platform becoming the weakest point in the downstream organisation's supply chain.
- Escalation follows when the attacker uses that supplier relationship, integration, or shared access path to reach higher-value internal systems.
- Impact occurs when the compromise propagates into multiple customers, creating downstream exposure beyond the original vendor boundary.
NHI Mgmt Group analysis
Continuous supply chain security is now an identity governance problem as much as a vendor risk problem. Once suppliers hold service accounts, tokens, support credentials, or federated access, their security state becomes part of the enterprise identity perimeter. Static questionnaires cannot govern those relationships at the pace modern supplier environments change. Practitioners should treat third-party access as a lifecycle issue, not an annual review artifact.
Threat-informed TPRM is the right direction, but only if it changes priority, not just reporting. Security leaders already know which vendors exist; the harder question is which vendors can actually produce downstream harm this week. That requires combining external threat signals, access scope, and business dependency into one operational view. Practitioners should use that view to decide where monitoring, revocation, and escalation happen first.
Shared dependencies create shared failure domains, which means supplier oversight must be continuous. When 90% of companies depend on a relatively small provider base, a single weak link can affect many customers at once. That shifts the governance burden from evidence collection to evidence freshness. Practitioners should align supplier controls to real-time exposure rather than calendar-based review dates.
NHI governance belongs inside third-party risk programmes, not beside them. Supplier-managed identities, API keys, and machine credentials are often the practical mechanism by which third parties reach internal systems. If those identities are invisible or exempt from lifecycle control, the TPRM programme is missing the actual enforcement layer. Practitioners should map supplier access as a first-class identity inventory and tie it to offboarding, rotation, and privilege review.
Continuous monitoring is becoming the baseline expectation for boards, insurers, and regulators. The conference messaging reflected a wider market shift away from checkbox compliance toward operational proof. That means security teams will be judged less on the existence of a supplier policy and more on whether they can show current risk status, response triggers, and control ownership. Practitioners should prepare for evidence-driven supplier governance to become the default.
What this signals
Supplier risk is increasingly an access governance problem, not just a scoring problem. Once third parties can authenticate into customer environments, the question becomes whether their identities are visible, bounded, and revocable in real time. Programmes that cannot answer that question will struggle to prove control effectiveness as boards and insurers move toward evidence-based oversight.
Security teams should expect supplier monitoring to converge with IAM, PAM, and NHI lifecycle processes. That means the next maturity step is not more assessment paperwork, but cleaner identity inventories, tighter delegation boundaries, and faster offboarding when supplier relationships change.
For practitioners
- Map supplier-held identities to business criticality Build an inventory of supplier-issued accounts, API keys, support credentials, and federation links, then rank them by downstream system access and data reach. Use that inventory to separate routine vendors from suppliers that can materially affect core operations.
- Replace annual vendor reviews with continuous control checks Track access scope, control drift, and exposure changes for high-risk suppliers throughout the year, not just at review time. Focus on rotation status, unused credentials, and changes in privileged integrations.
- Tie threat intelligence to supplier escalation rules Define trigger conditions that raise monitoring or response when a supplier appears in active threat reporting, has exposed services, or is linked to current attack campaigns. Escalation should be based on both threat activity and access reach.
- Separate supplier offboarding from contract closure Require explicit revocation of accounts, tokens, certificates, and delegated access when a supplier relationship changes. Do not assume procurement or legal closure means technical access has ended.
- Align board reporting to evidence freshness Report how recently supplier risk evidence was collected, which access paths were validated, and where remediation remains outstanding. Boards need current operational exposure, not static scores.
Key takeaways
- Odyssey 2026 reinforced that supply chain security now depends on continuous operations, not annual reviews.
- The biggest governance gap is not supplier awareness, but the freshness of evidence about access, exposure, and control drift.
- Practitioners should treat supplier-issued identities as part of the enterprise identity perimeter and govern them on a lifecycle basis.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack surface, NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, and ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.SC-1 | Supply chain risk management is the article's core governance theme. |
| NIST SP 800-53 Rev 5 | SR-3 | Supplier controls and risk response align with supply chain risk management requirements. |
| CIS Controls v8 | CIS-15 , Service Provider Management | The conference focus is continuous oversight of external providers. |
| MITRE ATT&CK | TA0001 , Initial Access; TA0008 , Lateral Movement; TA0040 , Impact | Supply chain compromise commonly uses trusted entry paths and downstream propagation. |
| ISO/IEC 27001:2022 | A.5.21 | Supplier relationships and information security in the ICT supply chain are directly relevant. |
Map supplier oversight to GV.SC-1 and maintain current evidence on critical third-party dependencies.
Key terms
- Continuous Third-Party Risk Management: A programme model that treats supplier risk as a live control process rather than a periodic review. It combines monitoring, evidence freshness, escalation logic, and access governance so teams can respond when a vendor's posture, exposure, or business impact changes.
- Threat-Informed TPRM: A third-party risk approach that weights suppliers by current adversary activity, access scope, and downstream dependency. Instead of ranking vendors only by questionnaire results, it uses threat context to decide which suppliers need immediate attention, tighter controls, or accelerated remediation.
- Supplier-Held Identity: An account, token, key, certificate, or federated credential that a third party uses to access customer systems. These identities often sit outside standard employee lifecycle workflows, which makes ownership, expiry, offboarding, and monitoring harder unless they are explicitly governed.
What's in the full article
SecurityScorecard's full post covers the conference detail this analysis intentionally leaves for the source:
- Session-level discussion of threat-informed third-party risk management and how practitioners are operationalising it.
- The roadmap context behind upcoming continuous monitoring capabilities and how attendees responded to them.
- Panel and keynote takeaways from CISOs, policy leaders, and practitioners on supply chain resilience.
- Examples of how SecurityScorecard expects customers to integrate continuous monitoring with existing security operations.
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, secrets management, and identity lifecycle control. It is designed for practitioners building repeatable governance across human, non-human, and delegated access programmes.
Published by the NHIMG editorial team on 2026-02-03.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org