By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: SecurityScorecardPublished December 19, 2025

TL;DR: Recurring themes across third-party breaches, software supply chain attacks, nation-state activity, and regulatory readiness emerged in Q1 2025 coverage, according to SecurityScorecard, with media picking up reports on vendor-driven exposure, North Korean hacking groups, DeepSeek, and insurance-sector breach patterns. The signal for practitioners is clear: third-party governance is becoming a board-level control problem, not a narrow vendor-management task.


At a glance

What this is: This roundup compiles SecurityScorecard’s Q1 2025 press coverage and its main finding is that third-party exposure, supply chain compromise, and cyber risk governance remain central enterprise concerns.

Why it matters: It matters because IAM, PAM, NHI, and security teams need a clearer view of how external dependencies, credentials, and delegated access expand attack surface across human and non-human identity programmes.

👉 Read SecurityScorecard's Q1 2025 coverage roundup on third-party breaches and supply chain risk


Context

Third-party risk becomes a governance problem when organisations rely on outside systems, vendors, and delegated access paths that sit beyond direct operational control. In this Q1 2025 coverage roundup, the common thread is not any single incident, but the recurring exposure created when external relationships become part of the attack surface.

For identity and access teams, the bridge is obvious. Third-party compromise often turns into credential abuse, secret leakage, or overbroad access that bypasses the controls meant to protect human identities and non-human identities alike. That makes this a programme issue for IAM, PAM, NHI governance, and broader cyber risk management, not just a procurement concern.


Key questions

Q: How should security teams govern third-party access in identity programs?

A: Treat third-party access as a managed identity relationship with an owner, scope, expiry, and revocation process. Review not only what the supplier account can do directly, but also what it can reach through connected applications and delegated trust. That approach reduces hidden blast radius and makes supplier access auditable.

Q: Why do third-party breaches often become identity problems?

A: Third-party breaches become identity problems because attackers usually exploit the trust already extended to a supplier, partner, or managed service. That trust may include federated login, API credentials, or privileged service accounts. Once those identities are abused, the attacker can operate inside normal business workflows instead of breaking through technical barriers.

Q: What do security teams get wrong about software supply chain risk?

A: They often focus on known vulnerabilities inside dependencies and miss the trust path that delivers the software. Signed artifacts, build integrity, and separation of duties matter because attackers frequently abuse the pipeline rather than the package itself. Supply chain governance has to cover provenance, promotion, and update trust.

Q: Who is accountable when a vendor compromise creates internal access risk?

A: Accountability sits with both the business owner of the integration and the identity team that approved the trust path. Procurement may own the contract, but IAM owns the access relationship. If the downstream system still trusts the supplier after compromise, the governance gap is in access design as much as in vendor oversight.


Technical breakdown

How third-party risk becomes an identity control problem

Third-party risk becomes an identity problem when a supplier, partner, or service provider is granted credentials, API access, federation, or operational trust that outlives the business need. In practice, the attack surface is created by delegated authentication, lingering service accounts, and weak offboarding across external relationships. Once an attacker compromises the third party, they often inherit the trust already extended to it. That shifts the security challenge from perimeter defence to lifecycle control, entitlement review, and continuous monitoring of external access paths.

Practical implication: Map every external trust path to an owner, a purpose, and a revocation process before the relationship becomes an uncontrolled access channel.

Why supply chain attacks magnify non-human identity exposure

Software supply chain attacks are especially dangerous because they often target the identities that make software delivery work: tokens, signing keys, package credentials, and CI/CD service accounts. Attackers do not need to break the whole environment if they can compromise a build dependency or a developer workflow that already has privileged access. This is where NHI governance becomes central. The same secret or token used to automate releases can also automate compromise if it is exposed, overprivileged, or difficult to rotate. The governance gap is usually not visibility alone, but lifecycle discipline.

Practical implication: Treat CI/CD tokens, package-publishing credentials, and signing keys as high-risk NHIs with explicit inventory, rotation, and scope limits.

What regulatory readiness means when cyber risk is third-party driven

Regulatory readiness now depends on whether organisations can show control over outsourced risk, not just internal hygiene. That includes evidence for third-party due diligence, access restrictions, incident reporting, and operational resilience across critical suppliers. For security leaders, the issue is not whether a breach happened inside the enterprise boundary. It is whether governance can prove that third-party access was necessary, constrained, reviewed, and recoverable. In financial services and critical infrastructure especially, this turns third-party oversight into a control assurance exercise, not a checkbox.

Practical implication: Align vendor oversight, access review, and resilience testing to the control evidence regulators will expect during an incident review.


NHI Mgmt Group analysis

Third-party compromise is now an identity governance issue, not just a supplier risk issue. When external systems can authenticate into internal environments, the security boundary is defined by trust relationships, not network location. That means IAM and PAM teams have to govern supplier access with the same discipline they apply to internal privileged access, including lifecycle review and offboarding. The practitioner takeaway is simple: vendor trust without identity lifecycle control is an open-ended exposure.

Non-human identity sprawl is the hidden amplifier in software supply chain attacks. Build systems, deployment pipelines, package registries, and automation tools all rely on machine credentials that are easy to inherit and hard to audit. Once those credentials are exposed, attackers can move faster than human review cycles can respond. The named concept here is delegated trust drift: access granted for one integration slowly expands into broader operational privilege. The practitioner conclusion is to treat every integration credential as a governed identity, not a technical convenience.

Regulatory readiness is shifting from policy existence to control evidence. Media attention around third-party breaches and nation-state-linked supply chain activity increases scrutiny on whether organisations can prove access boundaries, supplier oversight, and incident recovery. Frameworks such as the NIST Cybersecurity Framework 2.0 and MITRE ATT&CK Enterprise Matrix are useful because they connect governance to operational detection and response. The practitioner takeaway is that board reporting now needs control evidence, not just risk statements.

Security ratings and breach reporting only matter when they change decision-making. A recurring theme in this coverage is that external exposure becomes actionable only when organisations can connect it to concrete identity controls, supplier management, and remediation ownership. That is where the work moves from awareness to programme design. The practitioner conclusion is to use third-party risk signals to drive access reviews, supplier tiering, and exception handling, not just reporting.

Nation-state supply chain tradecraft should reset assumptions about trust in developer ecosystems. Reporting on North Korean activity and developer-targeted attacks shows how adversaries exploit ecosystems built on reuse, automation, and rapid publishing. That environment rewards speed, but it also hides privilege concentration and secret exposure. Practitioners should treat developer tooling, package workflows, and automation secrets as part of the identity fabric that must be governed end to end.

What this signals

Third-party risk programmes are moving toward identity-centric evidence, because organisations can no longer separate supplier assurance from access governance. The practical shift is toward tighter ownership, faster offboarding, and better visibility into where external credentials are used across cloud, SaaS, and automation layers.

Delegated trust drift: the longer an external identity remains active, the more likely it is to accumulate privilege beyond the original use case. That means access reviews need to examine actual usage, not just approval history, and they should be paired with continuous control checks rather than one-off attestations.

If your programme already tracks supplier access, the next maturity step is to connect it to secret rotation, machine identity inventory, and incident response evidence. That aligns directly with the control expectations reflected in the NIST Cybersecurity Framework 2.0 and helps make third-party risk measurable rather than anecdotal.


For practitioners

  • Inventory every third-party trust path Document which vendors, partners, and managed services can authenticate into your environment, what they can reach, and who owns revocation when the relationship ends.
  • Classify automation credentials as governed NHIs Include CI/CD tokens, signing keys, API keys, and package-publishing secrets in the same inventory and review process used for privileged human access.
  • Shorten supplier access review cycles Move external access certification from annual review to a risk-based cadence that reflects how quickly compromise can propagate through delegated trust paths.
  • Tie third-party oversight to incident evidence Prepare to show supplier due diligence, access constraints, and revocation records during regulatory or customer scrutiny after a breach.
  • Use external exposure signals to trigger control action When third-party breach reporting indicates elevated risk, force entitlement review, secret rotation, and escalation paths for affected integrations.

Key takeaways

  • Q1 2025 coverage shows that third-party compromise is no longer a side issue, because it often becomes the path into identity, access, and resilience failures.
  • The underlying evidence points to supplier trust, automation credentials, and supply chain dependencies as the most important control surfaces to govern.
  • Practitioners should respond by tightening external access lifecycle controls, improving secret governance, and turning third-party risk into auditable control evidence.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK and OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, and DORA define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0GV.SC-1Third-party supply chain governance is the article's core theme.
MITRE ATT&CKTA0006 , Credential Access; TA0008 , Lateral MovementThe coverage highlights credential theft and downstream movement through trusted relationships.
OWASP Non-Human Identity Top 10NHI-03Machine credentials and automation secrets are a recurring risk in supply chain compromise.
NIST SP 800-53 Rev 5AC-20External system connections and supplier access need explicit restrictions.
DORAFinancial services resilience and third-party oversight are directly implicated.

Map supplier access and exposure review to GV.SC-1 and document ownership for every external trust path.


Key terms

  • Delegated Trust Path: A route into an environment created by an already-approved relationship such as OAuth, service account delegation, or API connectivity. These paths are attractive to attackers because they often inherit trust from the original configuration and can bypass direct user interaction.
  • Delegation Drift: Delegation drift is the gradual accumulation of excessive or outdated access in groups, roles, and admin pathways. It weakens governance because identity state changes faster than teams review it, creating privilege escalation paths that are easy to miss during normal operations.
  • Non-Human Identity: A non-human identity is a machine or software credential used by services, workloads, pipelines, bots, or AI systems to authenticate and perform actions. These identities need inventory, ownership, scope control, and lifecycle management because they often carry high privilege and can be abused quickly.
  • Software Supply Chain Attack: A software supply chain attack targets the path software takes from source code to production. The attacker corrupts code, dependencies, build steps, or artifacts so that trusted delivery mechanisms spread malicious logic into environments that would otherwise reject direct intrusion.

What's in the full article

SecurityScorecard's full Q1 2025 coverage roundup covers the operational detail this post intentionally leaves for the source:

  • Named media placements across North America, EMEA, and APAC that show how the reports were framed in regional coverage.
  • Specific coverage of the Global Third-Party Breach Report and STRIKE Threat Intelligence research on North Korean activity and DeepSeek.
  • Executive bylines and commentary that expand on third-party breach trends, software supply chain attacks, and regulatory readiness.
  • The press list and citation trail needed if you want to trace which findings received the widest practitioner attention.

👉 SecurityScorecard's full Q1 2025 roundup includes the press list, report mentions, and executive commentary behind these coverage themes.

Deepen your knowledge

NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, secrets management, and identity lifecycle control. It is built for practitioners who need to translate identity risk into measurable programme outcomes.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org