TL;DR: Integration and implementation remain the biggest barrier to security maturity, as technology partners need direct access to a platform to build certified, more deeply integrated apps rather than basic connectors, according to SailPoint. The implication is that identity teams must treat partner ecosystems as part of the governance surface, not just an integration layer.
At a glance
What this is: SailPoint's Unified Platform Access extends its partner program so technology partners can build native applications on the identity platform with certified integrations.
Why it matters: For IAM practitioners, this matters because partner-built functionality can widen the governance surface for identity, access, and lifecycle controls across NHI, autonomous, and human programmes.
👉 Read SailPoint's announcement on Unified Platform Access for technology partners
Context
SailPoint's Unified Platform Access is a partner-program change that lets external technology partners build native applications on the SailPoint platform rather than stopping at conventional integrations. The primary identity-security question is not whether the ecosystem expands, but how governance changes when more third-party actors can create functionality inside the identity control plane.
For identity teams, the issue is broader than vendor interoperability. Once partner-built applications become part of the operating model, organisations need a tighter view of certification, entitlement boundaries, and lifecycle responsibility across identity, access, and data-linked controls. That is especially relevant where non-human identities, automation, and human access processes meet inside the same platform layer.
Key questions
Q: How should security teams govern partner-built identity applications?
A: Security teams should treat partner-built identity applications as governed extensions of the control plane, not as simple connectors. That means assigning ownership, scoping the data and workflows each app can touch, requiring approval before privilege expansion, and including the app in review and offboarding processes. Certification helps, but it does not replace lifecycle control or logging.
Q: Why do partner ecosystems create more identity governance risk?
A: Partner ecosystems create more risk because each new extension introduces a new authority path inside the identity programme. Even when the integration is certified, the app may still read sensitive context, trigger workflows, or influence access outcomes. If that authority is not tracked and recertified, governance drifts away from the actual runtime behaviour.
Q: When should organisations recertify third-party identity applications?
A: Organisations should recertify third-party identity applications whenever access scope, data scope, or ownership changes, and after any partner relationship update that affects trust. The review should confirm the app still needs its current permissions, still has an accountable owner, and still operates within the approved business purpose.
Q: What is the difference between a certified integration and governed access?
A: A certified integration confirms that the connection works to a defined standard, while governed access defines who is accountable for the app's permissions, lifecycle, and revocation. In practice, certification is a technical assurance, but governance requires ownership, review, logging, and the ability to remove access when the relationship changes.
How it works in practice
What unified platform access changes in partner integrations
Traditional integrations expose APIs or connectors that move data between systems without giving partners much room to shape the identity workflow itself. Unified platform access goes further by allowing partners to build native applications on top of the platform's foundation, which can shift the control surface from integration plumbing to governed extension. That changes who can influence policy logic, lifecycle actions, and automated responses. In identity programmes, the technical question is no longer just whether an integration works, but whether the extension point preserves segregation of duties, auditability, and entitlement boundaries.
Practical implication: treat partner-built applications as governed extensions and require clear controls over what policy, workflow, and identity data they can touch.
Certified integrations and the trust boundary in identity platforms
Certification reduces uncertainty, but it does not remove the need to define trust boundaries. A certified integration may confirm that a partner app functions as intended, yet the security team still has to decide what data the app can read, which actions it can trigger, and how its lifecycle is managed when the partner relationship changes. In identity security, this matters because the platform becomes a place where third-party logic can influence access decisions and downstream governance records. Validation is helpful, but governance still depends on least privilege, review, and offboarding discipline.
Practical implication: map certification to a trust decision, then add explicit approval, revocation, and monitoring controls for each partner application.
Why ecosystem growth increases identity governance complexity
An identity app economy creates more value, but it also creates more actors, more dependencies, and more places for misconfiguration. Each partner application can introduce its own data paths, automated actions, and privileged access requirements, which means the identity team must govern not only users and service accounts but also the extensions that operate inside the platform. This is where NHI governance and IAM governance start to overlap: a partner app may not be a human user, but it can still act with machine-like persistence and reach. The governance model has to cover that runtime reality.
Practical implication: extend recertification, logging, and ownership checks to every third-party app that can act on identity data or policy outcomes.
NHI Mgmt Group analysis
Unified platform access shifts the governance problem from integration to delegated authority. The article is not really about connectors, it is about allowing external partners to build directly against the identity platform's operating surface. That means the security question moves from whether data can move between systems to who can shape identity outcomes inside the platform. Practitioners should treat this as an extension of the governance plane, not a convenience feature.
Identity app ecosystems create a larger control surface than traditional IAM programmes usually model. Once partner applications can be built natively, the organisation is no longer governing only identities and entitlements. It is also governing the behaviours of third-party extensions that can read context, trigger workflows, and influence access outcomes. The implication is that review processes must account for delegated functionality, not just listed accounts and roles.
Certified partner access is a trust signal, not a trust substitute. Certification can standardise how extensions are built, but it does not answer the harder questions of lifecycle ownership, data minimisation, or revocation when the commercial relationship changes. That is a familiar NHI and PAM lesson applied to platform ecosystems. Practitioners should assume that every new integration layer creates a new governance obligation.
Partner-app blast radius: direct platform access expands the number of paths by which third-party logic can affect identity decisions. The more deeply partners can build on the platform, the more important it becomes to define where policy ends, where vendor responsibility begins, and how failures are isolated. This is the same control logic enterprises use for privileged access, now applied to ecosystem development. Practitioners should frame partner access as a bounded authority problem.
The market is signalling that identity platforms are becoming control planes for an ecosystem, not just repositories of access data. That shift matters because the next governance challenge will not be whether a platform can integrate, but whether it can safely host third-party capability without diluting control. For identity leaders, the strategic move is to evaluate whether current governance processes can scale to platform-native partner innovation.
From our research:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases, according to GitGuardian & CyberArk.
- For the broader identity lifecycle view, read Ultimate Guide to NHIs , Key Challenges and Risks for the control gaps that most often accompany delegated access.
What this signals
Identity platform ecosystems now need lifecycle controls, not just integration governance. As partner-built applications become part of the operating model, the programme has to know who owns each extension, what authority it has, and how quickly it can be removed. That is a familiar lifecycle problem expressed inside a more complex platform boundary.
The practical signal for IAM leaders is that recertification has to expand to platform-native partners and not stop at human access or service accounts. If a third-party app can influence identity outcomes, it belongs in the same governance conversation as any other delegated identity path.
With organisations dedicating an average of 32.4% of security budgets to secrets management and code security, per The State of Secrets in AppSec, the next bottleneck is not awareness but operational control over the ecosystem that consumes those secrets. The governance model must keep pace with the number of places authority can be exercised.
For practitioners
- Define partner app trust tiers Classify every partner-built application by the identity data it can access, the workflows it can trigger, and whether it can change policy outcomes. Use that tiering to decide review depth, approval authority, and monitoring scope.
- Add offboarding controls for ecosystem apps Require a revocation path for partner applications that mirrors service-account offboarding, including access removal, token invalidation, and ownership reassignment when the commercial relationship ends.
- Expand recertification beyond accounts Include partner-built applications in access reviews so governance teams validate not only who has access, but which external extensions still have delegated authority inside the platform.
- Limit policy reach by application scope Constrain each integration to the smallest set of workflows and data objects it needs, then monitor for any expansion in read, write, or execution privileges over time.
Key takeaways
- Unified platform access expands the identity governance surface because partners can now influence platform behaviour, not just connect to it.
- Certification improves consistency, but it does not remove the need for ownership, review, and revocation controls over partner-built applications.
- Identity teams should extend lifecycle governance to third-party apps that can read context, trigger workflows, or affect access decisions.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Partner apps can extend delegated access and secret-like authority inside the platform. |
| NIST CSF 2.0 | PR.AC-4 | Third-party platform extensions need permission governance and accountability. |
| NIST Zero Trust (SP 800-207) | Platform-native partners require continuous verification of access and context. |
Map partner apps to access control reviews and enforce role-based ownership for each extension.
Key terms
- Partner-Built Identity Application: A partner-built identity application is an external extension that operates inside or alongside an identity platform and can influence workflow, policy, or access outcomes. It is not just an integration endpoint. The governance challenge is to define its scope, owner, and revocation path before it can affect identity decisions.
- Identity Control Plane: The identity control plane is the operating layer where policy, access decisions, and lifecycle actions are executed or enforced. When partners can build natively on top of it, the control plane becomes a shared governance surface, which raises the need for stronger boundaries, auditing, and delegated authority controls.
- Delegated Authority: Delegated authority is permission granted to a system or partner application to act within a defined identity context on behalf of the organisation. It can be useful, but it must be bounded, reviewed, and revocable. Without those constraints, delegated authority becomes a hidden access path rather than a controlled capability.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by SailPoint: Unified Platform Access to fuel partner innovation. Read the original.
Published by the NHIMG editorial team on 2026-06-16.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
