Supply chain attacks are exposing the limits of identity controls

At a glance

What this is: This is an independent analysis of a Sisense-related supply chain breach discussion and the growing risk that third-party compromise can bypass conventional identity boundaries.

Why it matters: It matters because IAM and NHI teams have to govern external trust paths, not just internal accounts, when vendors, integrations, and credentials sit inside the blast radius.

👉 Read Saviynt's coverage of the Sisense supply chain breach

Context

Supply chain attacks matter for identity security because the first trusted hop is often outside the enterprise, while the security impact lands inside it. When a third-party service, integration, or credential path is compromised, IAM controls can still be perfectly configured and still fail to stop the downstream exposure. That makes NHI governance a supplier-risk problem as much as an access-control problem.

The article points to a pattern practitioners already know: external dependencies can turn into identity shortcuts, and those shortcuts are difficult to inventory after the fact. For security teams, this is a reminder that third-party access, delegated tokens, and service credentials need the same scrutiny as employee identities. The starting position of treating supply chain risk as an adjacent issue is increasingly atypical.

At a technical level, supply chain compromise often succeeds because the trusted path is more useful to an attacker than a noisy direct intrusion. Once a vendor foothold or exposed integration is present, the attacker may not need to break authentication in the usual sense. They can instead ride the trust already embedded in NHI relationships, which is why conventional perimeter thinking misses the point.

Key questions

Q: How should security teams govern third-party access in identity programs?

A: Treat third-party access as a managed identity relationship with an owner, scope, expiry, and revocation process. Review not only what the supplier account can do directly, but also what it can reach through connected applications and delegated trust. That approach reduces hidden blast radius and makes supplier access auditable.

Q: Why do supply chain attacks matter to NHI governance?

A: Because many supply chain compromises succeed through non-human identities, such as integrations, tokens, and service accounts, rather than through a user login. NHI governance determines whether those identities are scoped narrowly, rotated, monitored, and removed when no longer needed. Without that control, supplier compromise becomes enterprise compromise.

Q: What is the difference between third-party risk management and NHI governance?

A: Third-party risk management asks whether a supplier should be trusted at all, while NHI governance asks how that trust is technically expressed and constrained. In practice, both are needed. A supplier can be approved contractually and still be over-privileged operationally if its tokens, scopes, or service accounts are not tightly controlled.

Q: How can teams reduce blast radius from vendor integrations?

A: Limit each integration to the smallest viable scope, give it a short validity window, and attach an explicit owner who can revoke it quickly. Then test what happens when the integration is disabled so you know whether dependent systems fail safely. Those steps make blast radius measurable and controllable.

Technical breakdown

Why supply chain compromise becomes an identity problem

A supply chain attack turns into an identity problem when the attacker uses trusted connections, tokens, or integrations to move through systems that never meant to expose broad access. In NHI environments, those trusts are frequently service-to-service, vendor-to-cloud, or application-to-application. The failure mode is not only stolen secrets, but also over-scoped permissions, long-lived tokens, and weak visibility into who can act through a third party. Once those paths exist, normal authentication can still succeed while governance fails.

Practical implication: Map every external trust path to an owner, an expiry, and a revocation process.

Delegated access and token trust chains

Delegated access is common in modern SaaS and cloud architectures, but each delegation creates a trust chain that can be abused if the upstream account, connector, or secret is compromised. A token may not look privileged in isolation, yet it can inherit effective access through API scopes, role bindings, or downstream automation. That is why NHI security cannot stop at secret storage. It has to examine how identities are chained, what conditions activate access, and where the effective blast radius begins.

Practical implication: Review inherited scopes and remove any delegated access that exceeds a single task or integration need.

Why supply chain incidents evade traditional access reviews

Traditional access reviews are usually account-centric, but supply chain risk is relationship-centric. The question is not only whether an account still needs access, but whether a supplier, plugin, or automation path should exist at all. That is especially true for service accounts and API credentials that are created once and then reused across environments. If governance does not model external dependencies as first-class identities, the review process can certify access that already exceeds the intended trust boundary.

Practical implication: Extend review workflows to include vendors, integrations, and machine identities that were provisioned outside normal joiner-mover-leaver controls.

Threat narrative

Attacker objective: The attacker aims to convert third-party trust into durable access inside the victim environment without triggering the same controls used for direct intrusion.

1. Entry occurs when an attacker compromises a trusted third-party service, integration, or credential path rather than attacking the primary target directly.
2. Escalation follows when the attacker uses inherited permissions, API scopes, or connected automation to reach internal systems with legitimate-looking access.
3. Impact occurs when the trusted path enables data exposure, lateral movement, or downstream compromise across the customer environment.

Breaches seen in the wild

• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
• Reviewdog GitHub Action supply chain attack — reviewdog/action-setup GitHub Action supply chain attack exposed secrets.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Supply chain risk is now an identity governance problem, not a vendor management sidebar. The operational reality is that external services often hold the same practical authority as internal accounts. That means IAM and NHI programmes have to govern trust boundaries, not just credentials. Practitioners should treat third-party access as a living identity relationship, not a procurement artifact.

Identity blast radius is the right concept for assessing third-party exposure. A single trusted integration can expose far more than its visible permissions suggest, especially when tokens, scopes, and downstream automation are layered together. The governance question is how far an attacker can move once they inherit that trust. Practitioners should measure blast radius before they measure control coverage.

Supply chain incidents expose a gap in many NHI inventories. Teams often know what they own, but not what their suppliers can reach on their behalf. That creates an incomplete access map and a false sense of review completeness. The practical conclusion is to inventory external identities with the same rigor used for internal service accounts.

Third-party compromise validates the need for continuous rather than point-in-time NHI control. When trust is distributed across integrations, static approvals age quickly and revocation becomes the meaningful control. This does not mean every supplier must be removed. It means each supplier relationship needs scoped access, short validity windows, and explicit operational ownership. Practitioners should build for revocation first.

Supply chain security will keep converging with workload identity governance. As more enterprise work is done through APIs, bots, and agents, the boundary between human vendor risk and machine identity risk disappears. That pushes the market toward controls that can detect, constrain, and expire non-human access in motion. Practitioners should plan for that convergence now.

From our research:

• The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
• For the broader governance baseline, see Ultimate Guide to NHIs for lifecycle controls across discovery, rotation, and offboarding.

What this signals

Identity blast radius: the next programme metric for third-party risk is not how many suppliers you have, but how far each supplier can move once trusted credentials are compromised. That reframes supplier governance from an annual review exercise into an access containment problem. The organisations that can answer that question fastest will be better positioned to absorb supply chain incidents without losing control of the downstream environment.

With more than 1 in 5 non-human identities already considered insufficiently secured in our research, the governance gap is structural, not incidental. That matters because supplier integrations often sit outside the normal lifecycle processes used for workforce identities. Teams should bring external service accounts, tokens, and delegated access into the same review and revocation discipline as internal NHI populations.

For practitioners aligning to external guidance, the control logic maps naturally to NIST Cybersecurity Framework 2.0 and the OWASP Non-Human Identity Top 10. The practical change is simple: measure external access the way you measure internal privilege, then remove anything that cannot be justified, monitored, and revoked on demand.

For practitioners

• Inventory every external trust path Build a register of vendors, integrations, service accounts, and delegated tokens that can reach sensitive systems. Include scope, owner, renewal date, and revocation path so the inventory reflects real operational authority.
• Shorten the lifetime of supplier credentials Replace long-lived API keys and shared secrets with short-duration credentials where possible, and rotate any remaining secrets on a fixed schedule tied to business need.
• Test revocation before an incident forces it Run exercises that remove access from a third-party integration and verify that applications, pipelines, and support processes fail closed rather than silently retaining access.
• Review inherited permissions, not just assigned permissions Check what a third-party token or service account can reach through chained roles, nested groups, and automation. Remove access that is only justified by historical convenience.

Key takeaways

• Supply chain compromise is increasingly an identity governance issue because trusted external paths can carry real authority into the enterprise.
• Non-human identities create hidden blast radius when vendor integrations, delegated tokens, and service accounts are not inventoried and constrained.
• Practitioners should govern third-party access with short-lived credentials, explicit ownership, and tested revocation so trust can be removed as quickly as it is granted.

Key terms

• Non-Human Identity: A non-human identity is any digital identity used by software, services, or machines rather than a person. It includes service accounts, API keys, tokens, certificates, workloads, bots, and AI agents. These identities often carry high privilege and require lifecycle controls just like workforce identities.
• Identity Blast Radius: Identity blast radius is the amount of access an identity can expose if it is compromised. It is not only the direct permissions attached to an account, but also the downstream systems, delegated scopes, and automated actions that identity can reach through trust relationships.
• Delegated Access: Delegated access is access granted through an intermediary trust relationship, such as a connected app, vendor integration, or service account. It can be convenient, but it also hides effective privilege because the real reach of the identity may be broader than its visible role assignment.

What's in the full analysis

Saviynt's full article covers the operational detail this post intentionally leaves for the source:

• The article's discussion of the specific Sisense breach context and how the supply chain angle surfaced in coverage.
• The vendor's own framing of why major supply chain incidents change how identity teams think about external trust.
• The surrounding news references that place this incident alongside other 2025 security and identity updates.
• The source page's broader commentary and links for readers who want the full publication context.

👉 Saviynt's full post covers the breach context and the surrounding identity risk discussion.

Deepen your knowledge

Supply chain trust paths and non-human identity governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for supplier access and delegated credentials, it is worth exploring.