By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: SecurityScorecardPublished October 30, 2025

TL;DR: Third-party dependencies now account for over 35% of data breaches and more than 40% of ransomware starts, according to SecurityScorecard, while AI and shadow AI are lowering attacker effort and widening exposure across enterprise workflows. The governance challenge is no longer internal control alone, but visibility and accountability across the extended digital supply chain.


At a glance

What this is: SecurityScorecard argues that AI, deepfakes, shadow AI, and third-party dependencies are forcing CISOs to manage risk beyond their own perimeter.

Why it matters: For IAM, NHI, and broader security teams, the message is that external access, delegated trust, and unapproved AI use now shape the control environment as much as internal policy does.

By the numbers:

👉 Read SecurityScorecard's analysis of third-party risk, shadow AI, and the CISO role


Context

The core problem is not simply that attackers are more capable. It is that the enterprise attack surface now includes vendors, partners, suppliers, and employee-run AI tools that sit outside traditional control boundaries. That creates an identity and access governance problem as much as a security operations problem, because trusted connections and delegated access are where many modern incidents begin.

For IAM and NHI programmes, this is a reminder that third-party access, service credentials, and unsanctioned AI usage are part of the same trust fabric. When organisations treat external risk as separate from identity governance, they miss the fact that credentials, approvals, and data-sharing paths are the mechanisms attackers exploit.


Key questions

Q: What breaks when third-party access is treated as separate from identity governance?

A: Security teams lose visibility into who can still authenticate, what they can reach, and whether access was ever removed when the relationship changed. That creates standing exposure through vendor accounts, API keys, and delegated access paths. Treating third-party access as part of identity governance closes the gap between procurement, onboarding, and real operational control.

Q: Why does shadow AI create governance risk even when users are not malicious?

A: Because users can move sensitive data into tools the organisation cannot inventory, monitor, or revoke. The risk is not intent, but loss of control over retention, reuse, and onward disclosure. Security teams need approved AI pathways, data handling rules, and enforcement tied to identity and context.

Q: How do organisations know if third-party risk controls are actually working?

A: Look for evidence that external access is inventoried, time-bound, and removed promptly when no longer needed. Strong controls show up as fewer standing privileges, better offboarding discipline, and clear ownership for each external connection. If teams cannot answer who has access and why, the control is not working.

Q: Who is accountable when AI-assisted impersonation or supplier abuse causes an incident?

A: Accountability sits with the security leadership, the business owner of the relationship, and the teams responsible for identity, access, and vendor oversight. Frameworks such as NIST CSF and NIST SP 800-53 expect clear ownership of risk, not shared ambiguity. Boards should demand exposure reporting, not just activity metrics.


Technical breakdown

Third-party risk is a trust graph problem

Modern supply chains are not linear. They are trust graphs made up of vendors, downstream service providers, integrations, and shared operational dependencies. A weakness in one node can provide an attacker with a route into another organisation through legitimate access, inherited trust, or exposed data exchange pathways. This is why third-party risk management has become inseparable from identity governance, especially where external accounts, API access, and delegated administration are involved. The control question is not just who is in your environment, but who can reach it through trusted relationships.

Practical implication: map vendor access paths, not just vendor names, and review the identities and secrets that make those paths possible.

Shadow AI expands the data exposure surface

Shadow AI is not just an employee policy violation. It is an unmanaged data egress channel that can move sensitive information into tools and environments the security team cannot see, validate, or revoke. When workers paste documents, ledgers, code, or customer data into unapproved AI systems, the organisation loses control over retention, model training, and onward disclosure. From an identity perspective, these interactions often occur under normal user credentials, which makes them hard to distinguish from legitimate productivity use. That creates governance blind spots that traditional DLP and access review processes do not fully close.

Practical implication: classify approved and unapproved AI use cases, then bind data handling rules to user identity and sanctioned tool access.

Deepfakes lower the cost of trust exploitation

AI has made impersonation, social engineering, and fraud more scalable. Deepfakes and AI-generated content reduce the skill barrier for convincing phishing, executive impersonation, and vendor fraud, which means the weak point is increasingly human trust rather than technical sophistication alone. In practice, this shifts the burden onto verification controls, out-of-band confirmation, and stronger decision checkpoints for payments, access changes, and sensitive requests. Where identity proofing is weak, AI can turn ordinary communication channels into high-yield attack paths.

Practical implication: strengthen verification for high-risk requests and assume that email, voice, and video can no longer be trusted on their own.


Threat narrative

Attacker objective: The attacker objective is to gain scalable access to data, systems, or business trust by exploiting the weakest connection in the extended supply chain.

  1. Entry begins when an attacker reaches an organisation through a third-party relationship, a social engineering path, or an unapproved AI workflow that handles sensitive data.
  2. Escalation occurs when trusted credentials, delegated access, or human trust are abused to move from a narrow foothold to broader business or data access.
  3. Impact follows as ransomware, data theft, or disclosure spreads across the connected ecosystem instead of stopping at a single enterprise boundary.

NHI Mgmt Group analysis

Third-party risk has become an identity governance problem, not just a procurement problem. Security teams often treat supplier risk as a questionnaire and scorecard exercise, but the real control issue is who can authenticate, authorise, and move data through trusted relationships. That is where access governance, credential lifecycle management, and third-party offboarding matter most. Practitioners should treat external access as part of the identity perimeter, not an exception to it.

Shadow AI creates an unmanaged non-human identity problem inside ordinary user workflows. Employees are now routing sensitive content through AI services that sit outside policy, inventory, and monitoring. That means the organisation may be losing control over both data and the downstream identities or accounts that AI tools use to process it. The relevant governance question is not whether AI is allowed in principle, but whether the organisation can account for every sanctioned and unsanctioned AI touchpoint.

AI has lowered the barrier to trust abuse faster than many verification models have adapted. Deepfakes, synthetic voice, and AI-assisted phishing make it easier to impersonate a person, a vendor, or an executive with enough realism to bypass informal checks. This pushes verification out of the authentication layer and into workflow design, because high-risk approvals now need stronger confirmation paths. Practitioners should assume that trust signals can be fabricated at scale.

Credential and access visibility now determine resilience in connected ecosystems. If a third party, contractor, or AI workflow can reach business-critical data without tight lifecycle control, incident scope will expand faster than many teams expect. That is where NHI governance and third-party access management intersect most sharply, because service credentials and delegated access often become the fastest route from exposure to impact. Practitioners should prioritise visibility into every non-human and external identity that can cross organisational boundaries.

Board reporting has to move from activity reporting to exposure reporting. The article’s emphasis on objective KPIs reflects a broader market shift: leadership needs risk measures that show where trust is being extended, not just how many controls exist. That aligns with frameworks such as NIST CSF and NIST SP 800-53, which focus on control effectiveness rather than checkbox compliance. Practitioners should present third-party and AI exposure in terms the board can act on, not just operational metrics.

What this signals

Third-party exposure and shadow AI are converging into a single governance issue: the organisation must be able to account for every trust path that can move data, credentials, or decisions outside direct control. That is where identity governance, third-party risk management, and AI policy enforcement intersect, especially when external systems can handle sensitive content without a corresponding lifecycle process.

Verification trust gap: the faster AI improves impersonation, the more organisations must design workflows that assume screenshots, voice, and even video are insufficient proof. For practitioners, that means stronger approval paths, clearer exception handling, and better separation between convenience tools and risk-bearing decisions.

As supply chains and AI usage expand, boards will increasingly expect exposure metrics that show how much trust is being extended beyond the enterprise boundary. That makes credential inventory, vendor offboarding, and sanctioned AI controls leading indicators of resilience, not just hygiene tasks.


For practitioners

  • Inventory external trust paths Document every vendor, partner, and supplier connection that can authenticate into systems, exchange data, or trigger privileged actions. Include API integrations, shared credentials, delegated admin paths, and any service accounts used by third parties.
  • Separate approved AI use from shadow AI Publish clear rules for sanctioned AI tools, then block or monitor unsanctioned services that can receive confidential content. Tie policy enforcement to user identity, device posture, and data sensitivity rather than relying on awareness training alone.
  • Tighten verification for high-risk requests Require stronger confirmation for payment changes, access grants, supplier onboarding, and executive instructions. Use callback checks, workflow approvals, and dual-channel verification when the request could be spoofed by deepfake or phishing content.
  • Extend third-party offboarding to credentials and data paths When a supplier relationship ends, revoke accounts, API access, tokens, and any standing access into shared environments. Validate that the third party can no longer reach data repositories, ticketing systems, or collaboration tools.

Key takeaways

  • Third-party risk and shadow AI now extend the CISO mandate beyond the enterprise perimeter into every trusted relationship and unmanaged data path.
  • SecurityScorecard cites more than 35% of breaches and over 40% of ransomware as third-party originated, underscoring how quickly dependency risk becomes incident risk.
  • The practical response is to inventory external trust, tighten verification, and bind AI usage and third-party access to identity lifecycle controls.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, while GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0ID.SC-1Third-party dependencies and supply-chain exposure are central to the article.
NIST SP 800-53 Rev 5SA-9Supplier and external system dependencies are governed through system services and acquisition controls.
CIS Controls v8CIS-15 , Service Provider ManagementThe article centres on third-party and supplier risk management.
GDPRArt.32The article discusses data exposure through third-party and AI workflows that may handle personal data.

Map supplier access and shared data flows to ID.SC-1 and review them as part of ongoing risk management.


Key terms

  • Third-Party Risk Management: Third-party risk management is the process of assessing and controlling the security exposure introduced by vendors, suppliers, partners, and outsourced services. In practice, it covers access, data handling, assurance, monitoring, and offboarding across the full lifecycle of the relationship.
  • Shadow AI: Shadow AI refers to AI tools, services, or workflows used without organisational approval or visibility. The risk is not just policy drift, but uncontrolled data transfer, unknown retention, and unknown downstream processing that can undermine governance, compliance, and incident response.
  • Deepfake: A deepfake is synthetic audio, video, or image content generated to imitate a real person or event. Security teams care because deepfakes can be used to impersonate executives, manipulate trust, and support social engineering that bypasses ordinary verification habits.
  • External System Access: External system access is any authenticated connection from a vendor, partner, or other outside party into internal resources. It becomes a governance issue when the organisation cannot reliably inventory, scope, monitor, or revoke that access across the relationship lifecycle.

What's in the full article

SecurityScorecard's full article covers the operational detail this post intentionally leaves for the source:

  • The panel discussion on how CISOs should communicate risk to boards and audit committees.
  • The full third-party risk commentary behind the 35% breach and 40% ransomware figures.
  • SecurityScorecard's perspective on shadow AI, deepfakes, and the operational impact on enterprise security programmes.
  • The closing remarks on trusted KPIs and how organisations can benchmark cyber exposure across their ecosystem.

👉 SecurityScorecard's full article expands on board communication, AI-enabled threats, and third-party exposure metrics.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, secrets management, and identity lifecycle controls. It gives practitioners a practical foundation for managing trust, access, and accountability across human and non-human identities.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org