Supply chain attacks expose the identity risk hidden in third parties

At a glance

What this is: This is a news roundup item that uses the Sisense breach to highlight how supply chain compromise now intersects directly with identity security and third-party access.

Why it matters: It matters because IAM programmes that stop at employee identities miss the access paths, credentials, and delegated trust relationships that make supplier compromises operationally dangerous.

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected.

👉 Read Saviynt's coverage of the Sisense breach and supply chain identity risk

Context

Supply chain attacks become an identity problem when a third party sits in the trust path, handles credentials, or has delegated access to systems that matter. The Sisense breach coverage appears in a broader stream of reporting that points to the same governance gap: organisations often know their suppliers, but not the identities and secrets those suppliers can use.

For IAM, NHI, and PAM teams, the lesson is that third-party risk is not only about contracts and due diligence. It is about whether supplier access is scoped, monitored, and revocable at the identity layer, including service accounts, tokens, and federated access.

That starting position is typical, not exceptional. Most enterprises still treat supplier access as an extension of procurement or security review rather than as a living identity lifecycle problem.

Key questions

Q: How should security teams govern third-party identities that can reach production systems?

A: Treat third-party identities as first-class assets with owners, scopes, expiry, and revocation paths. Require separate credentials for each environment, monitor actual usage, and include supplier accounts in access reviews and offboarding. If a vendor can reach production, its identities should be governed with the same discipline as privileged internal access.

Q: Why do supply chain attacks so often become identity incidents?

A: Because attackers rarely need to break the application when a trusted supplier identity already has the reach they want. Delegated access, long-lived secrets, and reused credentials let an intrusion move through trusted pathways. The identity layer becomes the real control plane, especially when access is broad and poorly segmented.

Q: What do security teams get wrong about third-party access reviews?

A: They review the vendor relationship instead of the live entitlements. A supplier may still hold tokens, roles, or service accounts long after the business need has changed. Effective reviews inspect actual credentials and downstream reach, then verify that revocation has happened, not just been requested.

Q: Who is accountable when a supplier identity is abused in a breach?

A: Accountability usually spans the business owner of the service, the identity team that issued or federated access, and the third party that held the credential. Frameworks such as NIST CSF and zero-trust models expect clear ownership and revocation discipline. Without that, nobody can prove where control failed.

Technical breakdown

Why supply chain attacks become identity incidents

A supply chain attack turns into an identity incident when the attacker reaches a trusted integration, credential, or support path rather than the core application itself. In modern environments, suppliers often hold service accounts, API tokens, signing access, or delegated admin rights. Those credentials can be more valuable than user accounts because they are persistent, high reach, and rarely observed with the same rigor as employee access. The security failure is not only compromise. It is the concentration of trust in identities that were never designed to survive supplier reuse, reselling, or broad operational access.

Practical implication: map every third-party identity to a business owner, scope, and revocation path before it is needed in an incident.

Delegated access and secret exposure in third-party ecosystems

Delegated access widens the blast radius because one supplier identity may authenticate into multiple downstream services. If that identity is backed by a long-lived secret, a stolen token, or an exposed key, attackers can move laterally without needing to break each target separately. The risk is amplified when suppliers reuse credentials across customers or environments, since one compromise can create many points of entry. This is why third-party identity governance has to cover lifecycle, rotation, and segregation of duties, not just vendor onboarding checks.

Practical implication: require per-environment credentials and time-bound access for every supplier integration that touches production data.

Third-party access visibility and revocation gaps

Most organisations can name their strategic vendors but cannot quickly answer which identities those vendors still possess in production. That visibility gap is the real control failure in supply chain compromise. Without accurate entitlement inventories, access reviews become ceremonial and offboarding becomes incomplete, especially for service accounts and machine-to-machine access. Once a supplier relationship changes, any lingering identity can outlive the contract, the product, or the business need. The control problem is lifecycle precision, not policy language.

Practical implication: tie third-party access reviews to actual entitlement telemetry and revoke dormant supplier identities on a fixed lifecycle schedule.

Threat narrative

Attacker objective: The attacker wants to turn one compromised supplier identity into broad access across customer environments and the data or operational systems that trust it.

1. Entry occurs through a trusted third-party path, such as a supplier integration, exposed credential, or compromised support channel rather than direct perimeter breach.
2. Escalation follows when the attacker uses delegated identity access to reach downstream systems, services, or data that the supplier was already authorised to touch.
3. Impact comes from abusing that trust to expand access, exfiltrate data, or pivot into additional enterprise environments through the same supplier relationship.

Breaches seen in the wild

• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
• Reviewdog GitHub Action supply chain attack — reviewdog/action-setup GitHub Action supply chain attack exposed secrets.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Supply chain compromise is now an identity governance problem, not just a vendor risk problem. The breach surface appears when suppliers hold identities, secrets, or delegated rights inside customer environments. That means IAM teams, not only procurement and security review teams, have to own the trust path. The practitioner conclusion is simple: supplier risk must be measured in entitlements and revocation capability, not in contract language alone.

Third-party access without lifecycle offboarding is the failure mode this category keeps exposing. Access often survives the business relationship that justified it, especially when service accounts and tokens are created for one project and never fully retired. That assumption was designed for stable relationships and predictable change management. It fails when suppliers are reorganised, acquired, or no longer needed but their access remains live. The implication is that access outliving accountability is the core control gap.

Identity blast radius is the right concept for supplier compromise. One external identity can touch many internal systems when credentials are reused, federated broadly, or scoped only by convenience. The problem is not merely that a secret exists, but that one secret can open several control planes at once. This is where NHI governance, PAM, and third-party risk converge. Practitioners should treat every supplier credential as a potential multi-environment blast-radius multiplier.

Visibility without entitlement context does not reduce supply chain exposure. Knowing a vendor exists is not the same as knowing which identities they can still exercise, where those identities authenticate, or how quickly they can be revoked. Access reviews that do not include actual machine and delegated identities will miss the paths attackers use. The practitioner conclusion is to anchor third-party governance in identity telemetry and revocation evidence.

Supply chain incidents validate converged identity governance across human, NHI, and delegated access. Human approvals, machine credentials, and third-party workflows are now linked in the same attack path. That makes siloed governance structurally incomplete. Security teams should view supplier access as part of the same identity lifecycle discipline that governs users and workloads.

From our research:

• Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to the same report.
• For a deeper view of breach patterns and root causes, review 52 NHI Breaches Analysis alongside this finding.

What this signals

Identity blast radius: the next phase of third-party governance is not supplier enumeration but entitlement containment. When one external identity can still reach several internal systems, the control objective shifts from visibility to revocation speed and scope reduction. Teams that cannot prove who can revoke what, and in what order, will remain exposed even if their vendor inventory looks complete.

The governance gap will widen as supplier access increasingly blends human approval, NHI credentials, and delegated federation. That means third-party reviews need to look like lifecycle controls, not annual paperwork. The programmes that survive are the ones that can trace every external identity to a business purpose, a technical owner, and a removal event.

With 72% of organisations reporting or suspecting a breach of non-human identities, per The 2024 ESG Report: Managing Non-Human Identities, supplier trust can no longer be treated as a side issue. The reader takeaway is to fold third-party access into the same identity risk model used for workloads and privileged human accounts.

For practitioners

• Inventory supplier identities by actual entitlement Build a live register of every vendor account, token, certificate, and federated role that can touch production systems. Include business owner, environment, last-use signal, and revocation method so offboarding can happen without ambiguity.
• Separate supplier credentials by environment Issue distinct credentials for development, test, and production access, and reject shared secrets across customer tenants or business units. A single compromised token should not open multiple environments or control planes.
• Tie offboarding to contract and telemetry When a supplier relationship ends or changes scope, revoke access using entitlement telemetry rather than waiting for manual confirmation. Validate that dormant accounts, stale tokens, and inherited roles are actually removed.
• Review third-party PAM and federation paths together Assess privileged vendor sessions, federation rules, and service account access in one control review. Otherwise, a supplier can be removed from one path and remain active through another.
• Test supplier blast-radius assumptions Run tabletop exercises that start with one compromised third-party identity and map every system it can reach. Use the exercise to expose hidden dependency chains and over-broad delegated access.

Key takeaways

• Supply chain attacks become identity incidents when suppliers hold credentials or delegated access inside customer environments.
• The scale of NHI compromise makes third-party access governance a live control issue, not a theoretical one.
• Practitioners need live entitlement inventories, environment-segmented credentials, and verifiable offboarding for every supplier identity.

Key terms

• Third-party identity: A third-party identity is any account, token, certificate, or federated role used by a supplier, contractor, or partner to access enterprise systems. It is governed like any other non-human or delegated identity, with scope, ownership, monitoring, and revocation requirements.
• Identity blast radius: Identity blast radius is the amount of access and downstream reach a single identity can create if compromised or misused. The larger the blast radius, the more systems, data, and control planes can be affected before the issue is contained.
• Delegated access: Delegated access is permission granted to one party to act on behalf of another system, user, or organisation. In practice, it often appears as federated roles, support access, or service-account privileges that can be abused if the trust relationship is too broad.
• Lifecycle offboarding: Lifecycle offboarding is the process of removing access when an identity, relationship, or business purpose ends. For supplier identities, it means revoking accounts, tokens, roles, and certificates quickly enough that access does not outlive accountability.

What's in the full analysis

Saviynt's full news coverage covers the source detail this post intentionally leaves for the article:

• The linked coverage around the Sisense breach and adjacent 2025 security stories that frame the supply chain risk pattern.
• The specific news context Saviynt used to connect vendor incidents with identity and access governance.
• The surrounding article stream that shows how often identity issues appear alongside broader cybersecurity reporting.
• The exact publication context for readers who want to trace the original news item in Saviynt's feed.

👉 Saviynt's full news item places the breach in a broader stream of identity and supply chain risk coverage

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.