MaRisk and DORA make identity controls central to outsourcing governance

At a glance

What this is: This is an analysis of how MaRisk and DORA turn identity and access controls into core evidence for outsourcing governance in German financial institutions.

Why it matters: It matters because IAM, PAM, and lifecycle controls are no longer supporting controls in regulated outsourcing models. They are the mechanisms auditors and supervisors use to test whether risk, accountability, and recoverability still hold.

👉 Read Imprivata's analysis of MaRisk, DORA, and identity controls in outsourcing

Context

MaRisk outsourcing governance depends on being able to show who can access what, when, and under whose authority. In practice, that makes identity and access management part of the control fabric, not a separate technical concern, especially when cloud and IT services are outsourced.

DORA strengthens that pressure by requiring operational resilience across ICT services and supporting evidence for auditability, privileged access, and incident handling. For financial institutions, the question is no longer whether identity controls matter, but whether outsourcing remains controllable once access is delegated outside the core institution.

Key questions

Q: What breaks when outsourced access is not tied to identity lifecycle management?

A: The control model breaks first, because the institution can no longer prove that access follows the contract lifecycle. Stale service accounts, unused API keys, and lingering certificates can continue operating after a vendor relationship changes. That creates hidden authority outside the outsourcing register and undermines auditability, revocation, and exit testing.

Q: Why do MaRisk and DORA make privileged access a governance issue?

A: Because privileged access is where delegated responsibility becomes operational power. Under MaRisk and DORA, institutions must show who can administer outsourced services, how that access is authenticated, and how quickly it can be removed. If privileged sessions are not logged and reviewed, the outsourcing relationship cannot be defended as controlled.

Q: How should banks measure whether outsourcing controls are actually working?

A: They should measure the gap between registered outsourcing relationships and the identities still able to act inside the environment. Useful signals include orphaned privileged accounts, unreviewed sub-outsourcing, delayed credential revocation, and failed exit tests. If those indicators persist, the programme has documentation, but not control.

Q: Who is accountable when a third party retains access after offboarding?

A: Accountability remains with the institution that owns the outsourcing relationship, even if the third party still holds the credentials. MaRisk places governance responsibility on the regulated entity, so offboarding failures are control failures for the bank or insurer, not a reason to defer responsibility to the provider.

Technical breakdown

AT 9 outsourcing controls rely on auditable access governance

AT 9 does not define technical controls in detail, but it requires institutions to retain steering, control, and auditability over outsourced functions. That means the practical control surface shifts to identity, access, and privileged session governance. If a provider can access production systems, data, or administrative planes without clear entitlement, logging, and review, the institution cannot demonstrate effective control over the outsourcing relationship. The key issue is not just whether access exists, but whether it is assigned, monitored, and revoked in a way that supports examination and accountability.

Practical implication: Treat IAM, PAM, and access logging as evidence for AT 9 compliance, not as optional security enhancements.

DORA raises the bar for outsourced ICT and privileged access

DORA operationalises digital resilience across ICT third parties, which makes authentication, privileged access, and incident traceability exam-relevant. In practice, this means outsourcing governance must connect contract terms to identity enforcement: who authenticates, which sessions are privileged, what is logged, and how quickly access can be removed when the relationship changes. If the identity layer is weak, contractual controls cannot compensate. The article’s core message is that resilience is tested at the point where administrative access meets delegated operations, not in policy language alone.

Practical implication: Map every critical outsourced service to its privileged identities, authentication method, and revocation path.

Outsourcing register quality depends on identity lifecycle discipline

A central outsourcing register is only useful if it reflects the current state of delegated access, sub-outsourcing, and exit dependencies. That requires lifecycle management for every non-human identity involved in the outsourcing chain, including accounts, API keys, certificates, and privileged service identities. Without clean offboarding, a register can say a contract has ended while access still persists in practice. The control problem is therefore not just cataloguing providers, but maintaining a live link between business ownership, technical access, and termination readiness.

Practical implication: Bind outsourcing registers to identity lifecycle events so offboarding and exit testing affect real access, not just documentation.

NHI Mgmt Group analysis

AT 9 outsourcing governance is really a control-of-access problem disguised as a contract problem. The article is right to emphasise steering ability, but the exam question is whether outsourced activity remains governable once access leaves the institution. That is why identity, privileged access, and audit evidence become the operational proof of MaRisk compliance. Practitioners should treat every outsourcing relationship as an identity governance boundary, not just a vendor-management entry.

MaRisk plus DORA changes the meaning of resilience from uptime to recoverable authority. If a provider can act inside critical systems without a continuously verifiable identity trail, the institution has resilience on paper but not in practice. The combination of outsourcing and ICT regulation means accountability must follow the privilege, not only the contract. Practitioners need to prove who can act, under what entitlement, and how fast that entitlement can be removed.

Identity and access controls are the strongest audit signal because they expose whether governance is executable. The article’s focus on strong authentication, RBAC, and PAM reflects a deeper truth: the controls that matter most are the ones a supervisor can test against real entitlements and sessions. Where organisations rely on spreadsheets, manual reviews, or stale ownership records, the control environment looks formal but remains brittle. Practitioners should expect auditors to use identity evidence as the shortest path to testing outsourcing discipline.

Outsourcing register drift is a governance failure mode, not an administrative inconvenience. A register that does not track active access, sub-outsourcing, and exit status creates false confidence about control scope. That gap becomes more serious when multiple service accounts, API credentials, and admin sessions are involved. The practical conclusion is that outsourcing governance must be continuously reconciled with the identities actually able to operate the service.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
• For a deeper control lens, see NHI Lifecycle Management Guide for how lifecycle discipline changes when access must be revoked, rotated, and audited across delegated services.

What this signals

Visibility debt: The outsourcing problem in MaRisk programmes is often not that controls are absent, but that no one can prove which identities still have authority inside provider-managed environments. When access maps drift from reality, the institution loses the ability to test control effectiveness, which is exactly what supervisors probe. For a standards lens, align the evidence trail to NIST Cybersecurity Framework 2.0 governance and protection outcomes.

Expect identity evidence to become a more central audit artefact as regulated outsourcing expands across cloud and managed services. The practical test is whether access removal, session logging, and ownership reconciliation can be demonstrated quickly, not whether the policy exists on paper.

The organisations that will move fastest are those that stop treating outsourced access as a static vendor record and start treating it as a live governance object. That means joining contract data, privileged access data, and lifecycle events into one operating view.

For practitioners

• Reconcile outsourced services to live identities Inventory every privileged account, service account, API key, and certificate tied to outsourced functions, then map each one to a business owner and termination path.
• Tie access reviews to outsourcing criticality Increase review frequency and evidence depth for critical and important functions, and require reviewers to confirm current access, not just contract status.
• Test exit and revocation before renewal Run exit exercises that remove provider access from production, validate revocation of delegated credentials, and confirm the service still meets recovery expectations.
• Use PAM evidence as audit material Capture privileged session logs, approval records, and authentication traces so supervisors can verify that administrative activity remained bounded and attributable.

Key takeaways

• MaRisk and DORA turn outsourced identity access into a control boundary that auditors can test directly.
• The strongest evidence is not policy wording but live proof of who can still authenticate, administer, and exit-cleanly inside outsourced services.
• Banks and insurers should reconcile outsourcing registers to real entitlements, because stale access is a governance failure even when the contract looks current.

Key terms

• Outsourcing governance: The set of controls used to keep delegated services under management control, legal accountability, and audit scrutiny. In regulated environments it covers ownership, access, review, monitoring, and exit readiness, not just contract administration or vendor oversight.
• Privileged access: Administrative or high-impact access that can change configurations, data, or control settings. In outsourcing programmes, privileged access is the point where third-party operations become governance-critical because it creates the greatest audit and resilience exposure.
• Identity lifecycle: The end-to-end management of an identity from creation through review, change, suspension, and removal. For non-human identities in outsourcing, lifecycle discipline determines whether access disappears when the service relationship ends or persists as hidden authority.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Imprivata: MaRisk and DORA outsourcing governance with identity controls. Read the original.