Third- and fourth-party blind spots are weakening vendor risk controls

At a glance

What this is: This is an Imprivata analysis of third- and fourth-party risk showing that vendor overprivilege, weak inventory, and poor access oversight are driving breach exposure.

Why it matters: It matters because IAM, PAM, and NHI programmes increasingly have to govern external identities, delegated access, and downstream access chains, not just direct employees and systems.

By the numbers:

• Nearly half 47% of organisations experienced a breach involving a third party in the past year.
• 34% were due to vendors having too much privileged access.
• IT and security teams report spending 134 hours per week investigating third-party and privileged access risks.
• Organisations now manage access for an average of 20 vendors, yet only 50% maintain a comprehensive inventory of those vendors.

👉 Read Imprivata's analysis of third- and fourth-party access risk

Context

Third-party access risk is the governance problem that appears when external vendors, subcontractors, and their own tools are allowed to touch internal systems without the same lifecycle, inventory, and privilege controls used for first-party identities. In practice, the security gap is not only the vendor relationship itself, but the unmanaged access chain that extends beyond it.

Imprivata’s analysis argues that many programmes stop at direct vendor oversight and miss the fourth-party layer entirely. That gap matters for IAM and PAM teams because downstream access often persists longer than the business relationship that created it, which makes delegated trust hard to verify and even harder to revoke.

The article frames this as a resilience issue, not just a supplier management issue. Once access sprawl, manual processes, and incomplete inventories take hold, security teams lose the ability to answer a basic governance question: who can still reach what, through which external relationship, and on whose authority?

Key questions

Q: How should security teams govern vendor access that extends into fourth parties?

A: Security teams should govern vendor access as an identity lifecycle problem, not a supplier checklist. That means inventorying every external identity, mapping downstream dependencies, enforcing named user access where possible, and reviewing subcontractor reach during each recertification cycle. The goal is to make hidden delegated access visible before it becomes an incident.

Q: Why do third-party breaches so often involve privileged access?

A: Third-party breaches often involve privileged access because external accounts are frequently granted broad, persistent reach to get work done quickly. Once an external identity can administer systems, read data, or move laterally, attackers only need one weak credential path or one missed offboarding event to turn trust into breach exposure.

Q: What do teams get wrong about fourth-party risk?

A: Teams often assume that if the direct vendor is approved, the access chain is controlled. In reality, subcontractors, managed tools, and inherited credentials can sit outside the visible governance boundary. That is why fourth-party risk is usually a visibility and accountability failure, not just a contract-management gap.

Q: Who is accountable when a vendor or subcontractor account is misused?

A: Accountability should sit with the organisation that granted the access, because it owns the entitlement, the review process, and the revocation path. Vendors can have shared responsibility, but the relying organisation still has to prove that access was justified, limited, monitored, and removed when no longer needed.

Technical breakdown

Why third-party access breaks conventional vendor risk models

Traditional vendor risk management focuses on contracts, questionnaires, and periodic reviews, but access risk behaves differently. Once a vendor receives network or application access, the issue becomes identity governance: who has the credential, what can it do, how long does it remain valid, and whether the entitlement is still aligned to business need. The article’s core point is that many organisations know the vendor exists, but not the full access path the vendor opens. That is why broad trust models fail when access is persistent, shared, or poorly inventoried.

Practical implication: Map every external identity to a named owner, a business purpose, and an expiry condition.

Fourth-party exposure and the hidden access chain

Fourth-party risk emerges when a vendor’s vendor, subcontractor, or unmanaged tool inherits access indirectly. This is structurally harder to monitor because the organisation may never contract with the fourth party, yet its credentials, integrations, or workflows still touch sensitive systems. That turns supply chain governance into an identity-chain problem rather than a simple supplier list problem. The main failure mode is visibility loss: teams can see the primary vendor but not the nested actors and access paths beneath it.

Practical implication: Require vendors to disclose downstream access paths and revalidate them during each access review.

Fine-grained access control instead of broad delegated trust

The article points toward replacing broad VPN-style trust with named user authentication, time-bound credentials, and least privilege access. That matters because privileged third-party access often becomes durable when organisations rely on shared accounts or static exceptions. Fine-grained controls do not eliminate external risk, but they reduce the blast radius when a vendor account, subcontractor credential, or integration token is abused. In NHI terms, this is about constraining external machine and human access with the same rigor used for internal high-risk entitlements.

Practical implication: Treat vendor access as privileged access and force it through explicit scope, duration, and review controls.

Threat narrative

Attacker objective: The objective is to exploit trusted third-party or fourth-party access to reach sensitive systems while bypassing direct perimeter controls.

1. Entry occurs through a trusted vendor relationship that grants external access to internal systems or data paths, often beyond what the organisation can directly observe.
2. Escalation happens when vendors are given too much privileged access, reused credentials, or unmanaged downstream pathways that a fourth party can inherit.
3. Impact follows when attackers abuse the extended access chain to move through vendor-connected environments, increasing the likelihood of breach, persistence, and wider supply chain compromise.

Breaches seen in the wild

• LiteLLM PyPI package breach — LiteLLM PyPI supply chain attack, credentials stolen from users.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Third-party access is now an identity governance problem, not just a procurement problem. The article shows that organisations can no longer rely on vendor questionnaires and contractual assurances once external identities are allowed into production systems. The security failure begins when access is granted without the same lifecycle discipline applied to internal privileged accounts. Practitioners should treat external access as governed identity, not as a one-time supplier checkbox.

Fourth-party risk exposes a visibility debt that most programmes have not priced in. If 50% of organisations do not maintain a comprehensive vendor inventory, then the downstream access chain is already partly unknown before an incident begins. That is the control gap: teams are defending the named vendor while the effective attack surface extends into subcontractors and unmanaged tools. The implication is that governance models built only around direct counterparties are incomplete by design.

Contractual trust fails when access is operationally unconstrained. The article’s recommendation to move beyond trust-but-verify aligns with Zero Trust Architecture and privileged access governance, because the real issue is not whether the vendor was approved once, but whether its access remains least-privileged, time-bound, and accountable at every use. This is where PAM, IGA, and third-party identity management have to converge. Practitioners should stop treating external access as a static risk register item.

Fine-grained vendor access is becoming the minimum viable resilience control. Broad VPN access, shared credentials, and weak offboarding create the same failure pattern across human, machine, and subcontractor identities. The article makes clear that resilience now depends on named identity, duration control, and explicit ownership across the extended access chain. Organisations that cannot answer who has vendor-derived access are operating with an unbounded trust model.

Vendor access without lifecycle offboarding: The governance assumption that access ends when the contract or project ends fails in third- and fourth-party environments because credentials often outlive business need. That broken assumption is the reason external access becomes durable attack surface. The implication is that offboarding must be a control plane, not an afterthought.

From our research:

• 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
• 62% of all secrets are duplicated and stored in multiple locations, causing unnecessary redundancy and increasing the risk of accidental exposure.
• To understand broader lifecycle failure patterns, see The 52 NHI breaches Report for real-world examples of credentials that outlive governance.

What this signals

Vendor access governance is converging with non-human identity control. External accounts, service credentials, and subcontractor tools now need the same lifecycle discipline as internal machine identities. When organisations cannot prove where access exists or who owns it, the programme is already behind the actual attack surface.

Identity blast radius: the effective attack surface is no longer just the first-party vendor, but every downstream identity that can inherit its reach. That means security teams should measure not only how many vendors they have, but how many paths each vendor can open and how quickly those paths can be shut down.

The governance signal is clear: if access reviews are still limited to direct suppliers, the organisation is only certifying a fraction of the real risk. Teams should prepare for tighter audit expectations around external identity inventories, offboarding proof, and privileged session oversight, especially where regulated data or critical services are involved.

For practitioners

• Build a complete external identity inventory Record every vendor, subcontractor, and unmanaged tool with access to internal systems, including the systems reached, the account type used, and the business owner responsible for it.
• Replace broad vendor access with named, time-bound entitlements Eliminate shared or standing external access where possible, and require named user authentication, least privilege, and expiry conditions for every privileged vendor path.
• Extend access reviews to fourth-party paths Ask vendors to disclose downstream access chains and require revalidation of subcontractor and tool-based access during each recertification cycle.
• Treat vendor privileged access as PAM scope Route external administrative access through the same approval, logging, session oversight, and revocation controls used for internal high-risk accounts.
• Measure offboarding latency for external identities Track how long it takes to revoke vendor credentials after a relationship changes, because delayed removal is where downstream exposure persists.

Key takeaways

• Third-party and fourth-party access now function as a single governance problem, because the attack surface extends beyond the named vendor.
• Imprivata’s figures show the scale of the issue, with 47% reporting a third-party breach in the past year and 34% tied to excessive vendor privilege.
• Practitioners should respond by inventorying external identities, tightening delegated privilege, and making offboarding and recertification explicit control points.

Key terms

• Fourth-Party Risk: Fourth-party risk is the exposure created by a vendor’s vendors, subcontractors, or unmanaged tools that inherit access into your environment. The problem is not only contractual. It is the difficulty of seeing, governing, and revoking access that sits one step beyond your direct supplier relationship.
• Vendor Privileged Access: Vendor privileged access is elevated access granted to an external party so it can administer systems, support operations, or reach sensitive data. It becomes a governance issue when the access is broad, persistent, shared, or poorly monitored, because the organisation still owns the risk even when the work is outsourced.
• External Identity Inventory: An external identity inventory is the authoritative record of every non-employee account, credential, and delegated access path used by vendors, subcontractors, and partner tools. It should show who owns the access, what systems it touches, why it exists, and when it must be removed.
• Identity Blast Radius: Identity blast radius is the amount of damage an identity can cause if misused or compromised. For external access, it is shaped by entitlement scope, downstream dependencies, and how quickly access can be revoked. Smaller blast radius means the organisation has constrained both privilege and persistence.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Imprivata: Third- and Fourth-Party Blind Spots Escalate as Vendor Access Gaps Undermine Cyber Resilience. Read the original.