By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: SecureframePublished December 30, 2025

TL;DR: Third-party breaches now account for 30% of incidents in Verizon’s 2025 DBIR, while SecurityScorecard says 35.5% of breaches are linked to third-party access, showing that vendor ecosystems have become a primary attack path, according to Secureframe’s compiled statistics. The governance problem is no longer assessment volume alone but whether risk controls can see beyond direct vendors into the nth-party chain.


At a glance

What this is: This is a compiled 2026 third-party risk statistics roundup showing that breaches, fourth-party exposure, and immature monitoring are still widespread across vendor ecosystems.

Why it matters: It matters to IAM and security practitioners because third-party access, delegated trust, and downstream dependencies increasingly determine where identity control, monitoring, and offboarding fail.

By the numbers:

👉 Read Secureframe’s 2026 third-party risk statistics and trends roundup


Context

Third-party risk management has moved from a procurement and compliance exercise to a security governance requirement. When vendors, service providers, and downstream partners can touch sensitive data or production systems, the trust boundary is no longer limited to the enterprise perimeter. For IAM teams, that means access governance must extend to external identities, delegated privileges, and offboarding across the supply chain.

This article’s value is the breadth of its benchmark data, but the deeper signal is that most organisations still manage third-party risk with incomplete visibility. That gap becomes sharper when third-party access is tied to credentials, tokens, or API-based integrations, because those are identity controls as much as they are vendor controls.


Key questions

Q: What breaks when third-party risk management does not cover external identities?

A: When third-party risk management ignores external identities, organisations lose control over who can actually authenticate, what they can access, and when that access should end. Questionnaires may still exist, but the real risk sits in active credentials, integrations, and privileged vendor accounts. The result is delayed revocation, incomplete offboarding, and blind spots that attackers can reuse.

Q: Why do third-party relationships create identity and access risk?

A: Third-party relationships create identity risk because external parties often receive real credentials or delegated access into sensitive systems. If those permissions are broader than needed, poorly monitored, or left active after the work ends, the vendor relationship becomes a persistent attack path. The risk is highest when access is separated from lifecycle governance.

Q: How do organisations know if their TPRM programme is actually working?

A: A TPRM programme is working when it can show current vendor inventory, current access scope, timely remediation, and reliable offboarding. If the team cannot tell who has access, what changed, and who owns the next action, the programme is collecting evidence without controlling exposure.

Q: Who is accountable when a third-party incident occurs?

A: Accountability should be shared but explicit. The business owner, security team, procurement, and legal function each have a role, but the policy must name who receives the incident report, who approves escalation, and who owns remediation follow-through. Without that structure, vendors can report events without anyone taking operational control.


Technical breakdown

Why third-party access becomes an identity problem

Third-party risk becomes an identity issue when vendors authenticate into your systems, call your APIs, or receive scoped access that persists beyond the original business purpose. In practice, that creates external identities, delegated authority, and lifecycle dependencies that traditional vendor questionnaires do not govern. The real control problem is not only who the vendor is, but what access the vendor’s users, services, and integrations retain over time. Once those privileges are shared across environments, revocation and monitoring become identity governance tasks, not just supplier management.

Practical implication: extend access reviews, entitlement checks, and offboarding to external identities, not just contract records.

Nth-party risk and the collapse of direct visibility

Nth-party risk appears when a vendor’s own suppliers, processors, or embedded services create exposure that the buying organisation cannot see directly. The statistics in this roundup show how often organisations rely on contractual notification rather than direct evidence, which leaves a blind spot around subcontractors and hidden service chains. In identity terms, this is a downstream trust problem: your control boundary ends where your visibility ends, while the exposure continues through inherited access, shared data, and opaque integrations.

Practical implication: map critical third parties to their downstream dependencies and require evidence of subprocessor and delegated-access controls.

TPRM automation, but with governance not just throughput

Automation in TPRM is often sold as a way to process questionnaires faster, but the real value is governance consistency. If automated workflows only speed up intake, they do not solve the harder problems of control validation, exception handling, or evidence freshness. For identity-linked third parties, automation should support continuous validation of access scope, secret rotation, and access termination when risk changes. Otherwise, teams end up with faster paperwork and the same unmanaged trust.

Practical implication: automate evidence collection, but keep human review on exceptions, access scope, and high-risk revocation decisions.


Threat narrative

Attacker objective: The attacker wants to turn trusted external access into durable access to data, systems, or operational pathways without triggering normal internal controls.

  1. Entry begins when an attacker uses a compromised or poorly governed third-party access path, such as vendor credentials, an exposed integration, or a weak downstream supplier account.
  2. Escalation follows when that trusted access is reused, over-scoped, or not revoked, allowing the attacker to move from a vendor touchpoint into internal systems or shared data environments.
  3. Impact occurs when the attacker steals data, disrupts operations, or leverages inherited trust to spread the breach through additional vendors and fourth-party relationships.

NHI Mgmt Group analysis

Third-party risk is now identity governance by another name. The article’s statistics show that vendor relationships are no longer just business dependencies, they are access dependencies. When external parties authenticate, sync data, or operate through API keys and tokens, IAM and PAM controls become part of the TPRM program. Practitioners should treat third-party access as a governed identity lifecycle, not a one-time assessment artifact.

Nth-party risk is the control boundary most programs still fail to name. The clearest gap in this data is not the existence of downstream risk, but the lack of direct visibility into it. That means many organisations are governing the first relationship while inheriting unknown exposure from the second and third relationship layers. Practitioners should define the downstream trust boundary explicitly and require evidence, not assurances, from critical suppliers.

TPRM maturity is increasingly measured by control validation, not questionnaire volume. A program that can collect more forms is not necessarily a safer program. Mature governance now depends on whether the organisation can verify access scope, detect unapproved vendor usage, and prove that offboarding reaches every external identity and integration. Practitioners should judge maturity by revocation, visibility, and exception handling, not by assessment throughput alone.

Multi-layer trust chains create governance debt that accumulates faster than review cycles. The article’s fourth-party data shows why annual reviews are structurally behind the risk they are supposed to manage. Once vendor ecosystems are layered, the organisation is effectively managing a moving graph of delegated access and shared data. Practitioners should use this as a signal to redesign TPRM around continuous evidence, not periodic point-in-time validation.

AI-driven third-party operations add a new identity and accountability problem. As vendors use AI in service delivery, support, and decision workflows, the organisation is not only assessing supplier risk but also model-driven behaviour inside the supplier estate. That expands the governance question from disclosure to control provenance. Practitioners should require clarity on where AI is used, what data it touches, and who is accountable when AI-supported processes change risk.

What this signals

Third-party governance is converging with identity lifecycle management. For many programmes, the practical question is no longer whether a vendor is approved, but whether its access can be proven current, necessary, and revocable. That is why third-party controls increasingly need to sit alongside IAM, PAM, and external identity governance, not separate from them.

The most important shift for practitioners is the move from periodic assessment to continuous trust verification. If downstream suppliers, API credentials, or vendor-managed access can change faster than review cycles, the programme needs monitoring that reflects that speed. The OWASP Non-Human Identity Top 10 is useful here because external integrations and service identities behave like governance objects, not static assets.

Control debt builds when organisations cannot see beyond the primary supplier. That is the real lesson in the nth-party data. If the programme cannot map inherited access or verify downstream security claims, then risk acceptance becomes guesswork. The operational response is to narrow trusted dependencies, formalise evidence requirements, and align review cycles with the speed of vendor change.


For practitioners

  • Map third-party access to real identities and privileges Inventory every vendor, integration, service account, token, and API credential that can touch sensitive systems or data. Tie each one to an owner, purpose, expiry, and revocation path so access reviews can cover the full external identity lifecycle.
  • Extend governance to fourth-party and nth-party dependencies Require critical suppliers to disclose downstream processors, hosting providers, and embedded services, then validate those claims with evidence rather than contract language alone. Focus additional review on chains that include production access, regulated data, or operational dependencies.
  • Measure TPRM maturity by control outcomes Track whether the program can actually block risky vendors, require compensating controls, and terminate access when needed. Use metrics such as revoked access completion, exception closure time, and evidence freshness instead of questionnaire counts alone.
  • Build continuous monitoring around vendor change events Trigger reassessment when a supplier changes ownership, adds AI to a workflow, changes subprocessors, or expands system access. Continuous monitoring should detect when a third party’s risk posture changes before the next annual review.
  • Separate intake automation from approval authority Use automation to collect documents, prefill responses, and consolidate evidence, but keep human decision-making for high-risk access, exceptions, and termination actions. That preserves accountability where trust decisions are irreversible.

Key takeaways

  • Third-party risk is now an identity and access problem as much as a supplier-management problem.
  • The data shows persistent blind spots in nth-party visibility, vendor breach paths, and program maturity.
  • Practitioners should measure success by revoked access, downstream visibility, and evidence freshness, not questionnaire volume.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, while ISO/IEC 27001:2022 and GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0GV.SC-1Supply chain risk governance is central to third-party and nth-party exposure.
NIST SP 800-53 Rev 5AC-20Third-party access and external connections depend on controlled use of non-organizational systems.
CIS Controls v8CIS-15 , Service Provider ManagementThis article is fundamentally about managing service providers and downstream exposure.
ISO/IEC 27001:2022A.5.19Supplier relationships and external services need formalised security requirements.
GDPRArt.28Third parties handling personal data trigger processor oversight and accountability duties.

Use CIS-15 to standardise supplier review, evidence collection, and offboarding expectations.


Key terms

  • Third-party risk management: Third-party risk management is the process of identifying, assessing, monitoring, and reducing risk introduced by external vendors and service providers. In identity terms, it governs who outside the organisation can reach systems or data, how that access is approved, and when it must be removed.
  • Nth-Party Risk: Nth-party risk is exposure created by a supplier’s suppliers and other downstream dependencies that the buying organisation does not directly contract with or control. It matters because the risk often travels through shared data, inherited access, and hidden service chains, leaving direct visibility incomplete.
  • External Identity: An external identity is an account or access path owned outside the organisation but trusted inside it, such as a partner, vendor, contractor, or temporary worker. These identities enlarge the attack surface because they are harder to govern consistently and often fall outside standard employee lifecycle processes.
  • Delegated Access: Delegated access is permission granted to one identity to act on behalf of another user, service, or system. In NHI environments, this usually appears in OAuth-connected apps and automation tooling. It is powerful, but it must be tightly scoped and reviewed because it can persist long after the original business need ends.

What's in the full report

Secureframe's full blog covers the operational detail this post intentionally leaves for the source:

  • The full benchmark set across breach rates, staffing, maturity, assessment, monitoring, and automation trends.
  • The vendor-by-vendor statistic breakdown behind questionnaire use, tool adoption, and monitoring gaps.
  • The detailed TPRM best-practice and maturity sections for teams comparing their own program structure.
  • The specific third-party and nth-party figures that support board reporting and internal benchmarking.

👉 Secureframe’s full post includes the underlying statistics across breaches, staffing, maturity, and monitoring.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management in practical terms. It gives identity and security practitioners a stronger foundation for governing external access, lifecycle controls, and delegated trust.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org