Sisense breach shows how supply chain attacks expose identity risk

At a glance

What this is: This is a short analysis of the Sisense breach and the broader rise of supply chain attacks through third-party access and compromised credentials.

Why it matters: It matters because IAM, NHI, and PAM teams need to treat vendor access and delegated identity as first-class attack paths, not peripheral exceptions.

👉 Read Saviynt's analysis of the Sisense breach and supply chain identity risk

Context

Supply chain attacks become an identity problem when a third party can reach your environment through a trusted account, token, or integration. In this case, the practical question is not only how the breach happened, but how identity trust was allowed to extend across organisational boundaries without enough containment.

For IAM and NHI programmes, that means treating external access as a lifecycle issue as much as a security issue. When vendor credentials, integrations, or privileged connections are left too broad for too long, a single compromise can create enterprise-wide exposure.

Key questions

Q: What breaks when supplier access is not tightly governed?

A: When supplier access is not tightly governed, a compromise in the third party can become your compromise. The main failure is trust inheritance: broad vendor permissions, stale integrations, and weak offboarding let attackers move from one trusted identity into multiple internal systems before detection. The practical risk is an outsized blast radius from a single external account.

Q: Why do third-party credentials increase supply chain risk?

A: Third-party credentials increase supply chain risk because they often combine standing privilege with broad operational reach. A vendor token or support account may touch production systems, sensitive data, or automation workflows. If that identity is stolen or misused, the attacker does not need to defeat your primary perimeter first. They can operate through an allowed path.

Q: How do teams know if supplier identity governance is working?

A: Supplier identity governance is working when every external account has a clear owner, a narrow purpose, an expiry or review date, and continuous monitoring. If access persists after the business need ends, or if no one can explain why an integration still exists, the programme is not controlling the real risk.

Q: Who is accountable when a supplier compromise exposes internal systems?

A: Accountability usually sits with the organisation that granted and failed to govern the access, even if the initial compromise occurred at the supplier. Legal, procurement, security, and identity teams all need a shared process for approving, reviewing, and revoking external access. If no owner can answer for the identity, the control failed before the incident did.

Technical breakdown

Third-party access creates a hidden trust boundary

Supply chain compromise rarely starts with your own users. It often starts with a vendor, integration partner, or managed service that already has a path into your environment through SSO, API access, service credentials, or delegated admin rights. Once that path exists, the real risk is not just initial compromise but how much trust is inherited by default. Identity controls that assume the external party is already vetted at all times do not provide enough segmentation when the supplier environment is itself the entry point.

Practical implication: map every external identity path and reduce each one to the smallest possible scope, session, and system boundary.

Why compromised credentials turn supply chain incidents into lateral movement

When an attacker gets hold of a vendor account or secret, the next step is often to reuse that identity where it already has legitimate access. That can mean jumping from a SaaS integration into downstream systems, moving through API-driven workflows, or abusing standing privileges that were never intended to be persistent. The technical issue is not only credential theft. It is the combination of over-scoped trust, weak segmentation, and insufficient monitoring of non-human or third-party identities.

Practical implication: enforce tighter privilege boundaries, monitor unusual supplier account behaviour, and assume inherited access will be targeted.

Identity governance has to include offboarding and integration review

Many supply chain exposures persist because access was granted for a business relationship and never re-evaluated when the relationship changed. That is a governance failure, not just a detection failure. In practice, third-party identities need the same lifecycle discipline as internal ones: periodic review, explicit ownership, revocation on contract change, and validation that integrations still require the access they hold. If a supplier compromise can travel through your environment, then the problem is not only threat detection. It is access governance across organisational lines.

Practical implication: build supplier access review into identity governance, not into procurement or audit as a separate activity.

Threat narrative

Attacker objective: The attacker aims to turn trusted supplier access into broader environment compromise without having to break the primary perimeter directly.

1. Entry occurs through a trusted third-party access path, such as a supplier account, integration, or exposed credential that already bridges into the victim environment.
2. Escalation happens when the compromised identity is used with more access than it needs, allowing the attacker to move from a single trusted connection into broader internal systems.
3. Impact follows when supplier trust becomes a delivery path for data exposure, operational disruption, or wider compromise across connected services.

Breaches seen in the wild

• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Supply chain compromise is now an identity governance problem, not only a vendor risk problem. The Sisense breach reinforces a pattern NHIMG has seen repeatedly: trusted third-party access becomes the shortest path into environments that otherwise appear well defended. That means procurement assurance and security questionnaires are not enough on their own. Practitioners need to govern the identity paths suppliers use, because those paths are what attackers actually inherit.

Third-party access without lifecycle offboarding is the governance gap this class of breach exposes. Access granted for integration, support, or delivery work often outlives the business reason it was created. Once that happens, external identities become standing risk instead of conditional access. The implication is simple: if vendor access is not continuously reviewed and explicitly owned, it becomes an untracked extension of your attack surface.

Identity blast radius is the right named concept for this problem. A single compromised supplier credential can cascade across SaaS, cloud, and downstream systems when trust has been overextended. The issue is not just credential exposure, but how far that exposure can travel before containment begins. Practitioners should judge every third-party identity by the maximum blast radius it can create, not by the convenience it provides.

PAM and IGA controls must be applied to suppliers with the same discipline used for internal privileged users. External support paths, admin accounts, and API-based integrations often receive looser governance than employee access, even though the operational impact can be equal or greater. NHIMG’s view is that this separation is no longer defensible. The programme question is whether supplier identities are governed as high-risk identities from day one.

Supply chain attack patterns are converging with NHI governance weaknesses. Many breaches that are described as vendor incidents are actually failures to control machine-to-machine trust, secret sprawl, and delegated privilege. That makes NHI visibility and third-party identity review central to resilience. Teams that still treat suppliers as an edge case will continue to miss the real control point.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
• Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
• For the broader control pattern behind supplier and machine identity exposure, see 52 NHI Breaches Analysis, which maps repeated failure modes across real incidents.

What this signals

Identity blast radius is becoming the more useful operational metric for supply chain risk. If a third-party account can reach production data, admin functions, or automation pipelines, then the question is not whether the supplier is trusted in principle, but how far that trust travels in practice.

With 72% of organisations reporting or suspecting an NHI breach in our 2024 ESG Report on Non-Human Identities, the control gap is no longer edge-case territory. Teams should expect third-party access reviews, secret governance, and offboarding discipline to be part of routine identity operations.

Supplier compromise and machine identity exposure now overlap in the same programme decisions. If your organisation already uses the Ultimate Guide to NHIs as a reference point, the next step is to make sure third-party access is governed with the same lifecycle rigor as internal NHI.

For practitioners

• Inventory every supplier identity path Map accounts, tokens, API keys, certificates, and delegated admin links that let third parties reach production systems. Include support portals, cloud integrations, and automation accounts so the review reflects real access, not just contractual relationships.
• Scope vendor access to explicit business functions Replace broad shared access with narrowly assigned permissions tied to named systems, named data sets, and named support workflows. Remove inherited privileges that are only present because an integration was created years ago.
• Tie third-party access to lifecycle events Revoke or re-certify supplier access when contracts change, support ends, ownership changes, or integrations are retired. Treat these events as mandatory identity review triggers rather than informal reminders.
• Monitor anomalous behaviour on external identities Alert on unusual source locations, unexpected API sequences, privilege escalation, and access outside normal service windows. The goal is to detect when a trusted supplier account starts acting like an attacker foothold.

Key takeaways

• The Sisense breach illustrates a broader supply chain reality: external access paths can become the primary entry point when identity trust is overextended.
• NHIMG research shows the pattern is widespread, with 72% of organisations saying they have experienced or suspect an NHI breach.
• Teams should respond by inventorying supplier identities, tightening access scope, and making offboarding and review mandatory parts of governance.

Key terms

• Third-party identity: A third-party identity is an account, token, certificate, or integration used by an external supplier to access your environment. It matters because the organisation often controls the access path but does not fully control the external party's security posture or operational discipline.
• Identity blast radius: Identity blast radius is the amount of damage a compromised identity can cause before it is contained. For supplier and machine accounts, the blast radius depends on scope, privilege, connectivity, and whether the access is still required. Reducing it is a core governance objective.
• Standing privilege: Standing privilege is access that remains continuously available instead of being granted only when needed. In third-party environments, standing privilege creates durable attack paths because a stolen account can be reused immediately without waiting for approval or re-authentication.
• Lifecycle offboarding: Lifecycle offboarding is the process of removing access when a business relationship, role, or system use case ends. For external identities, offboarding is essential because dormant access often survives long after the original contract, project, or support need has changed.

What's in the full article

Saviynt's full article covers the operational detail this post intentionally leaves for the source:

• The specific supplier and supply chain incidents referenced in the news roundup, including the context behind the Sisense breach.
• The vendor's framing of how third-party attacks relate to identity security platform strategy and product positioning.
• The other linked security stories in the roundup, which provide additional incident context beyond this post's identity-focused analysis.
• The source article's broader editorial context around recent cyber risk developments and identity security coverage.

👉 Saviynt's full roundup includes the surrounding breach coverage and linked identity security stories.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.