Third-party risk management questionnaires and NHI governance gaps

At a glance

What this is: This is an analysis of how third-party risk management questionnaires structure vendor due diligence and where they fit in the vendor lifecycle.

Why it matters: It matters because IAM and governance teams increasingly rely on vendor attestations to make access decisions, yet those attestations need validation across NHI, autonomous, and human-facing control chains.

By the numbers:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected.

👉 Read SecurEnds' guide to third-party risk management questionnaires

Context

A third-party risk management questionnaire is a control-quality lens for supplier governance, not a control by itself. It standardises what the buyer asks, but it cannot prove that access, data handling, or incident response actually work once the vendor is live. For identity teams, that gap matters because vendor access often becomes non-human identity access, service-account access, or delegated human access inside the same trust chain.

The article is aimed at making vendor evaluation scalable through automation, scoring, and continuous monitoring. That direction is sensible, but it also shifts the question from whether a vendor answered correctly to whether the organisation can validate the answer with evidence, lifecycle oversight, and follow-through. For practitioners, the real issue is not questionnaire completion. It is whether the questionnaire feeds a durable governance decision.

Technical controls, compliance attestations, and operational resilience claims only matter when they are tied to onboarding, reassessment, contract renewal, and offboarding. That is why questionnaire design should be treated as part of identity governance and vendor lifecycle management, not as a standalone procurement artifact.

Key questions

Q: How should security teams use third-party risk questionnaires in vendor onboarding?

A: Use them to set an initial risk baseline, but require evidence before granting access to sensitive systems or data. The best practice is to connect questionnaire answers to contract terms, access approvals, and named remediation owners. That way the questionnaire becomes a decision record rather than a compliance exercise.

Q: Why do vendor questionnaires fail to reduce risk on their own?

A: They rely on self-reported answers, so they can show what a vendor says it does without proving what actually happens in production. Risk falls only when organisations validate the claims with logs, certifications, audits, or monitoring data and then link those findings to access decisions.

Q: What do organisations get wrong about questionnaire-based vendor risk management?

A: They often confuse completion with control. A fully answered questionnaire can still hide stale access, weak offboarding, or missing evidence. The real test is whether the answers change the vendor’s access scope, trigger remediation, or block renewal when gaps are unresolved.

Q: How can teams make vendor risk questionnaires more effective over time?

A: Tie them to lifecycle events, keep them short enough to get reliable responses, and update the control set when the vendor’s services or risk profile changes. A questionnaire that evolves with the relationship is far more useful than a static annual form.

Technical breakdown

Vendor questionnaires as control evidence, not assurance

A vendor questionnaire is a structured evidence-gathering instrument. It collects self-reported answers on security controls, data handling, incident response, and compliance posture, then turns those answers into a comparable review format. The weakness is obvious: the questionnaire measures claimed practice, not observed practice. That is why questionnaires are most useful when they are paired with supporting artefacts such as audit reports, certifications, logs, or external telemetry. In identity terms, the questionnaire helps establish an access decision, but it does not validate whether the vendor’s non-human identities, delegated accounts, or privileged workflows are actually governed as claimed.

Practical implication: Use questionnaires to trigger evidence requests, not to close the risk decision.

Automated scoring and continuous monitoring in TPRM

Automation changes the operating model of third-party review by reducing manual chase work and creating a repeatable scoring layer. Workflow engines can route responses, flag missing evidence, and update risk ratings when vendor posture changes. Continuous monitoring extends that model by adding external signals such as exposed services or configuration drift. The technical boundary matters: scoring can prioritise attention, but it does not replace validation of internal controls. In IAM and NHI governance, that means the vendor’s access model, secret handling, and escalation paths still need explicit lifecycle checks, even if the platform says the score is acceptable.

Practical implication: Combine automated scoring with periodic evidence validation and access recertification.

Why vendor lifecycle timing matters for access governance

Questionnaires are most valuable when they align to the moments when risk changes: onboarding, renewal, reassessment, and service change. Those are the points at which access, data flows, and subcontractor dependencies often expand. If the review cadence is disconnected from lifecycle events, the organisation gets a point-in-time snapshot instead of governance. That is especially relevant for third-party NHIs such as API keys, service accounts, or OAuth-connected access, because those identities can persist long after the business relationship has changed. The control failure is not the questionnaire format. It is the absence of lifecycle-triggered review and offboarding discipline.

Practical implication: Tie questionnaire refreshes to contract and access lifecycle events, not just calendar cycles.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• LiteLLM PyPI package breach — LiteLLM PyPI supply chain attack, credentials stolen from users.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Questionnaires create governance theatre when they are treated as proof. A completed response set can make vendor risk feel controlled, but it only documents intent unless the organisation validates the claims with evidence. That is why the control problem is not questionnaire design alone. The control problem is the gap between attestation and operational reality, especially where vendor access becomes non-human identity access inside shared delivery chains. Practitioners should treat the questionnaire as input to governance, not as governance itself.

Vendor access without lifecycle offboarding is the failure mode this topic exposes. The questionnaire model assumes the relationship is reviewed while the access still matters. That assumption breaks when third-party access, API credentials, or delegated accounts remain active after the business need has changed. The implication is not simply to ask more questions. It is to recognise that access governance fails when offboarding is not tied to contract renewal, service change, and evidence-backed revocation.

Continuous monitoring does not compensate for weak control attribution. Automated scoring can surface risk faster, but it cannot tell you whether the right team owns the control, whether the control maps to the actual identity subject, or whether remediation is complete. That matters across NHI, human, and delegated access models because ownership ambiguity is a recurring reason vendor risk findings remain open. Practitioners should use scoring to prioritise decisions, but accountability still has to be explicit.

Third-party questionnaires are becoming a lifecycle control for identity trust boundaries. The better programmes are no longer using them as procurement forms. They are using them to decide whether access is granted, recertified, narrowed, or removed. That aligns vendor governance with the realities of modern identity estates, where the real risk is less about whether a vendor exists and more about whether its access can outlive its justification. Practitioners should design the questionnaire around change points, not just intake.

Access-management questions are now as important as compliance questions. ISO 27001, SOC 2, and NIST alignment matter, but they do not substitute for knowing how vendor access is provisioned, logged, reviewed, and revoked. In practice, the strongest questionnaire programmes force the buyer to examine identity flow, privileged access, and subprocessor dependency as one system. Practitioners should stop treating compliance evidence and access evidence as separate workstreams.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• From our research: The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
• The visibility gap is why identity teams should treat vendor questionnaires as one signal in a wider governance stack, not as the final control decision.

What this signals

Third-party risk programmes are moving toward continuous verification because static attestations cannot keep pace with vendor change. The strategic shift is away from questionnaire completion and toward evidence-backed lifecycle governance, especially where third-party access includes API tokens, service accounts, or delegated OAuth grants.

Attestation debt: this is the growing gap between what vendors claim in questionnaires and what buyers can prove through evidence, monitoring, and access review. The larger the supplier ecosystem, the more attestation debt accumulates, and the more likely it is that a renewal decision is made on stale assumptions. Practitioners should design for proof, not paperwork.

With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, the governance problem is no longer limited to procurement review. It is an access visibility problem that crosses vendor management, IAM, and NHI oversight. Teams that can correlate questionnaire responses with lifecycle signals will make better decisions faster.

For practitioners

• Tie questionnaire updates to lifecycle events Refresh vendor risk reviews at onboarding, renewal, reassessment, and any material service change so access decisions track the actual business relationship.
• Demand evidence for every high-risk answer Require artefacts such as audit reports, access logs, incident procedures, or certification records before accepting any claim that affects data or identity risk.
• Map questionnaire sections to identity ownership Assign each control domain to a named internal owner, including third-party access, privileged accounts, and subcontractor exposure, so findings do not stall in review.
• Treat third-party NHI access as revocable inventory Track API keys, service accounts, tokens, and OAuth grants as inventory that must be reviewed and revoked when the vendor relationship changes.
• Use monitoring to verify, not just score Combine automated risk scoring with continuous checks for exposed services, missing evidence, or stale access so the questionnaire reflects operating reality.

Key takeaways

• Third-party risk questionnaires are useful only when they feed evidence-based access decisions rather than serving as proof of control.
• The scale of the visibility problem is material, with 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps.
• Lifecycle-triggered review, revocation, and ownership are the controls that turn a questionnaire programme into real vendor governance.

Key terms

• Third-Party Risk Management Questionnaire: A structured set of questions used to assess a vendor’s security, compliance, and operational controls before or during engagement. In practice, it is a governance instrument that standardises due diligence, but it only becomes trustworthy when answers are validated with evidence and tied to access decisions.
• Vendor Risk Assessment: The broader process of evaluating the likelihood and impact of risk introduced by a supplier, subcontractor, or service provider. A questionnaire is one input to this process, alongside audits, monitoring, contract terms, and offboarding controls that determine whether trust is justified.
• Attestation Debt: The growing gap between what an external party claims in a questionnaire and what an organisation can independently verify. It accumulates when answers are accepted without evidence, and it becomes operational risk when access, data handling, or incident response decisions rely on stale assertions.
• Third-Party Non-Human Identity: A non-human identity controlled or operated by an external supplier, such as an API key, service account, token, or OAuth grant. These identities often outlive the original approval context, so they require explicit lifecycle review, ownership, and revocation discipline.

Deepen your knowledge

Third-party risk management questionnaire design is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building vendor governance that has to handle third-party access and identity lifecycle change, it is worth exploring.

This post draws on content published by SecurEnds: third-party risk management questionnaire guidance and templates. Read the original.