Third-party access in manufacturing is exposing identity control gaps

At a glance

What this is: This is an analysis of why manufacturing vendor access becomes risky when third-party identity governance relies on manual reviews and disconnected systems.

Why it matters: It matters because manufacturing IAM, PAM, and OT security teams need continuous control over external access, not periodic confidence built on outdated assumptions.

By the numbers:

• 80% of manufacturers report increased demand for identity and access management solutions.
• 32% struggle with managing contractors and third-party access.
• 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.

👉 Read Imprivata's analysis of third-party access and vendor risk in manufacturing

Context

Manufacturing vendor access is a third-party identity governance problem: external partners need fast entry to systems, but every permission, session, and offboarding delay changes the risk profile. The article argues that disconnected processes and manual reviews leave organizations unable to answer who has access, what they can reach, or when that access was last validated.

In operational environments, access is often continuous rather than occasional, which makes static approval models brittle. The governance challenge is to keep external access usable for production while making it visible, reviewable, and revocable at the pace of plant operations.

Key questions

Q: How should security teams govern third-party access in manufacturing environments?

A: Security teams should govern third-party access as a lifecycle, not a one-time approval. Each vendor account needs an owner, a purpose, an expiry, and a removal path. Continuous review matters because manufacturing access changes with shifts, projects, and maintenance windows. Without that discipline, external access becomes harder to justify, harder to revoke, and easier to over-extend across production systems.

Q: Why do vendors create more IAM risk in OT-connected plants?

A: Vendors increase IAM risk in OT-connected plants because they often need broad, time-sensitive access to systems that were not designed for frequent identity changes. Shared workstations, legacy tooling, and urgent maintenance work make it easy for permissions to outlast the task. The result is a larger exposure window and weaker accountability when something goes wrong.

Q: What breaks when third-party access is managed with spreadsheets?

A: Spreadsheets break down when third-party access scales beyond a handful of users. They do not reliably capture approvals, active entitlements, session state, or removal status, so access reviews become stale and offboarding is missed. In practice, that means organizations can no longer prove who had access, when, or why.

Q: Who is accountable when a vendor account remains active after the work ends?

A: Accountability sits with the business owner, the technical approver, and the identity team that failed to remove the access. In regulated or safety-sensitive environments, that shared accountability must be explicit, because lingering access is not just an administrative miss. It is a governance failure that can affect compliance, audit evidence, and operational resilience.

Technical breakdown

Why manual vendor onboarding fails at manufacturing scale

Manual onboarding assumes access requests arrive in manageable volumes, roles stay stable, and review cycles can catch drift before it matters. In manufacturing, vendors rotate by project, shift, and maintenance window, while legacy systems, shared workstations, and OT constraints keep access paths open longer than intended. That combination creates permission accumulation, unclear ownership, and delayed deprovisioning. The result is not just administrative overhead. It is a persistent identity state that no one can confidently validate across the full vendor population.

Practical implication: replace spreadsheet-driven onboarding with identity workflows that can prove who is approved, active, and due for removal.

How continuous vendor risk assessment changes access control

Continuous vendor risk assessment treats third-party access as a living control surface, not a periodic audit item. Access decisions shift from role-only logic to context-aware checks that consider the vendor, the task, the time, and the system being touched. That aligns with zero-trust principles because no external identity is implicitly trusted once it connects. In manufacturing, this matters because remote maintenance, updates, and troubleshooting can all occur outside normal business rhythms, making static entitlement reviews too slow to catch misuse or drift.

Practical implication: use context-aware authorization and monitoring so external access can be narrowed or revoked as soon as activity diverges from expected work.

Why centralised identity data is the control plane for third parties

A central vendor database is not just an administrative convenience. It becomes the control plane that connects approval, entitlement, session visibility, and compliance evidence. Without a single source of truth, organizations cannot reliably reconcile who granted access, which systems were exposed, or whether offboarding actually happened. That gap is especially dangerous in regulated supply chains, where evidence of control often matters as much as the control itself. Centralisation does not eliminate risk, but it makes auditability and consistent enforcement possible at scale.

Practical implication: consolidate third-party identity records so access review, deprovisioning, and audit evidence all draw from the same authoritative source.

Threat narrative

Attacker objective: The objective is to preserve unnecessary third-party access long enough to widen exposure, weaken accountability, and increase the blast radius of operational compromise.

1. Entry occurs when vendors receive remote access to production systems for maintenance, updates, or troubleshooting, often across distributed environments and shared operational infrastructure.
2. Escalation follows when access is kept active across projects or shifts, permissions accumulate, and manual offboarding or review processes fail to remove stale entitlements.
3. Impact is the persistence of unnecessary third-party exposure, reduced accountability for privileged sessions, and a higher likelihood that operational disruption or compliance failure can spread across connected systems.

Breaches seen in the wild

• LiteLLM PyPI package breach — LiteLLM PyPI supply chain attack, credentials stolen from users.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Third-party access is an identity lifecycle problem, not a vendor management problem: The article shows that manufacturers are relying on external access as a normal operating condition, but normality is exactly what makes stale entitlements dangerous. Onboarding, review, and offboarding are being stretched across disconnected systems and manual processes, which means the identity state outlives the business need. The practitioner conclusion is that vendor access must be governed as a lifecycle with the same discipline applied to employee identities.

Continuous vendor risk assessment is the right control model because periodic review cannot keep pace with operational access: Manufacturing environments do not behave like clean administrative environments. Vendors move in and out by project, shift, and maintenance window, so the risk surface changes faster than quarterly review cycles can capture. ZT-NIST-207 is relevant here because the access decision must be revalidated in context, not assumed to remain safe after the initial grant. The practitioner conclusion is that time-based review alone is structurally too slow.

Centralised third-party identity data creates the evidence layer that manufacturing compliance depends on: The article is really describing the difference between having a policy and proving a policy worked. Without a single authoritative record of who approved access, what systems were touched, and whether removal happened, governance becomes aspirational. NIST-CSF and OWASP-NHI both map to this gap because visibility, control, and accountability are the controls that determine whether third-party access is defensible. The practitioner conclusion is that auditability must be designed into the identity control plane.

Credential sharing and lingering sessions are governance symptoms, not just user behaviour: When security controls add friction, operators and vendors work around them to keep production moving. That means shared credentials and open sessions are often a signal that the access model does not match the operational model. This is a lifecycle and PAM issue at the same time, because the environment is rewarding persistence over traceability. The practitioner conclusion is that controls should be designed so the path of least resistance is also the path of least privilege.

From our research:

• The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirming a breach and 26% suspecting one.
• That pattern makes NHI Lifecycle Management Guide the natural next reference for teams that need to turn third-party access reviews into an enforceable lifecycle process.

What this signals

Third-party identity governance is becoming an operational resilience issue, not a back-office IAM task. Manufacturers that treat vendor access as a static approval problem will continue to miss the real failure mode: access that stays active because no one owns the removal path. The right programme response is to bind access, session, and offboarding records to the same authoritative workflow, using the NIST Cybersecurity Framework 2.0 to align governance, protection, and response.

Vendor access pressure will keep rising wherever OT and IT converge. The article points to a simple reality, external partners are now part of core production continuity. That means IAM teams need to watch for the rise of an identity blast radius, where a single shared credential or delayed deprovisioning event can affect multiple systems and compliance obligations. In practice, this is where Ultimate Guide to NHIs, lifecycle processes for managing NHIs becomes operationally useful, not just educational.

With 72% of organisations already experiencing or suspecting an NHI breach in our research, the governance baseline has clearly moved. External access in manufacturing should be assumed dynamic, reviewable, and revocable at all times, because manual trust models do not scale to modern vendor ecosystems. Teams that cannot prove timely offboarding and session control are already behind the control curve.

For practitioners

• Map every third-party identity to an owner and expiry Require a named business owner, technical approver, and removal date for each vendor account, then reconcile those records against active sessions and entitlements on a recurring basis.
• Separate maintenance access from standing vendor access Use task-scoped privileges for troubleshooting and patching, then revoke access immediately after the maintenance window closes so permissions do not drift into long-lived standing access.
• Centralise vendor identity evidence Keep approvals, entitlements, session logs, and offboarding records in one authoritative system so auditors can trace access from grant to removal without stitching together spreadsheets.
• Monitor for shared credentials and open sessions Treat credential sharing and long-lived sessions as control failures, then investigate whether friction, poor workflow design, or missing deprovisioning is driving the behaviour.

Key takeaways

• Manufacturing vendor access fails when organisations rely on manual reviews, disconnected systems, and outdated trust assumptions.
• The evidence in the article shows that identity demand is rising while contractor access remains hard to manage, which widens the operational gap.
• Continuous access governance, centralised identity records, and fast offboarding are the controls that reduce exposure without slowing production.

Key terms

• Third-party identity: A third-party identity is an external user, contractor, vendor, or partner account that needs access to an organisation’s systems to perform defined work. In manufacturing, these identities often operate across remote support, maintenance, and OT-adjacent environments, so lifecycle control and visibility matter as much as the initial approval.
• Continuous vendor risk assessment: Continuous vendor risk assessment is the practice of re-evaluating external access as conditions change, rather than relying on periodic approvals alone. It combines context, session monitoring, and entitlement review so that access remains aligned to the current task, the current risk, and the current business need.
• Identity blast radius: Identity blast radius is the amount of operational, security, or compliance impact created when one identity is over-extended or compromised. For third-party access, the blast radius grows when sessions stay open, permissions are broad, and offboarding is delayed, allowing a single account to affect multiple systems.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Imprivata: third-party access and vendor risk in manufacturing. Read the original.