By NHI Mgmt Group Editorial TeamPublished 2026-04-28Domain: Cyber SecuritySource: Drata

TL;DR: Third-party involvement appeared in 30% of breaches in the 2025 DBIR, up from 15% the year before, while the average company now manages 305 SaaS applications and often tracks them with spreadsheets and manual reviews, according to Zylo and Verizon. Lifecycle-wide visibility, not point-in-time questionnaires, is now the control that determines whether vendor risk stays bounded or becomes persistent.


At a glance

What this is: This analysis argues that fragmented vendor intake, monitoring, and offboarding leave organisations with a widening third-party risk gap across the vendor lifecycle.

Why it matters: IAM and security teams need lifecycle visibility because vendor access, data exposure, and residual permissions often outlive procurement and contract controls.

By the numbers:

👉 Read Drata's analysis of vendor lifecycle visibility gaps and third-party risk


Context

Third-party risk becomes harder to govern when vendor oversight is split across procurement, legal, security, and business teams. The core problem is not simply that organisations buy too many services, but that visibility into access, evidence, and offboarding breaks at different points in the vendor lifecycle.

That matters to identity governance because third-party access is still access, even when it is delivered through service accounts, API keys, tokens, or delegated tooling. Once vendor lifecycle records fragment, it becomes difficult to prove who retained access, when risk changed, and whether offboarding actually closed the exposure window.


Key questions

Q: How should security teams govern vendor access across the full lifecycle?

A: Security teams should govern vendor access as a lifecycle control problem, not as a one-time approval. That means tying intake, onboarding, monitoring, and offboarding to a live inventory of credentials, integrations, owners, and expiry conditions. Continuous evidence should replace annual reassurance, especially where vendors can access sensitive data or production systems.

Q: Why do third-party relationships often become identity risks?

A: Third-party relationships become identity risks because vendors are frequently granted service accounts, tokens, API keys, or delegated permissions that outlive the decision to use them. If those access objects are not owned, scoped, rotated, and revoked, the organisation ends up with persistent trust channels that can be abused or forgotten.

Q: What breaks when vendor offboarding is treated as a paperwork task?

A: When offboarding is treated as paperwork, access often remains active after the contract ends. That leaves orphaned accounts, lingering integrations, and unresolved data access paths in place, which can create residual exposure long after the vendor relationship appears closed.

Q: Which frameworks help organisations measure vendor lifecycle risk?

A: NIST Cybersecurity Framework 2.0 helps structure governance and continuous risk management, while OWASP Non-Human Identity Top 10 is useful when vendor access includes service accounts, keys, or tokens. Organisations should use both to connect lifecycle oversight with access control, revocation, and monitoring.


Technical breakdown

Why vendor lifecycle visibility breaks down in practice

Vendor lifecycle visibility fails when organisations treat intake, due diligence, onboarding, monitoring, and offboarding as separate administrative tasks rather than one control loop. Each handoff creates a new place where evidence can be lost, approvals can be overridden, or access can persist after the relationship changes. The result is a security model that knows what was approved, but not what is currently exposed. In identity terms, this is a lifecycle governance failure: access is granted and forgotten, while assurance remains tied to point-in-time reviews instead of continuous state. Practical implication: treat vendor lifecycle records as a control system, not a filing system.

Practical implication: treat vendor lifecycle records as a control system, not a filing system.

How unmanaged third-party access becomes an identity problem

Third-party risk turns into identity risk when vendors receive credentials, integrations, or delegated permissions that are not tied to a clear owner and expiration process. A questionnaire may document the vendor, but it does not govern the access objects that follow, such as service accounts, OAuth grants, API keys, and certificates. Those artefacts behave like non-human identities because they can outlive the business decision that created them. Without ownership, scoping, and rotation, they become residual trust channels into systems and data. Practical implication: inventory vendor-facing credentials and attach lifecycle controls to each one.

Practical implication: inventory vendor-facing credentials and attach lifecycle controls to each one.

Why continuous monitoring matters more than annual review

Annual assessments can confirm a vendor’s posture on the day of review, but they do not show whether the posture changed the next week. Continuous monitoring closes that gap by tracking security signals, control drift, incident disclosures, and evidence of changed dependencies after onboarding. This is where lifecycle governance and NHI governance intersect most sharply: if a vendor’s access surface includes machine credentials, then stale approvals and stale secrets become the same problem. The programme challenge is to detect when a previously acceptable relationship has become a live exposure. Practical implication: use continuous evidence, not calendar-based reassurance, to trigger re-assessment.

Practical implication: use continuous evidence, not calendar-based reassurance, to trigger re-assessment.


Threat narrative

Attacker objective: The attacker objective is to exploit unmanaged third-party access paths and keep them open long enough to reach sensitive systems, data, or downstream integrations.

  1. Entry occurs when a business unit or engineering team onboards a third-party tool outside the central intake process, creating an unmanaged access path.
  2. Escalation follows when the vendor receives broad permissions, stale credentials, or opaque integrations that are not tied to an owner and expiry.
  3. Impact arrives when residual access persists after contract end or posture drift goes unnoticed, leaving sensitive systems exposed to unauthorised use or data loss.

NHI Mgmt Group analysis

Vendor lifecycle visibility has become an identity governance problem, not just a procurement problem. The article is right that fragmented inventories and manual questionnaires leave blind spots, but the deeper issue is that access created for a vendor often behaves like an unmanaged identity over time. When the lifecycle is not tied to owner, purpose, expiry, and revocation, the enterprise cannot prove who still has access. Practitioners should govern third-party relationships as living identity objects, not static records.

Lifecycle-wide assurance is the named control gap this article exposes. Point-in-time due diligence can tell you whether a vendor was acceptable at onboarding, but it cannot tell you whether the relationship is still safe after infrastructure changes, posture drift, or contract termination. That creates a lifecycle assurance gap in which approval evidence and operational reality diverge. Practitioners should measure assurance continuously across the full relationship, not only at intake and renewal.

Residual access is the failure mode that matters most at offboarding. The article correctly notes that access can persist after the relationship ends, and that is where third-party risk becomes a governance failure with identity consequences. Orphaned access, unattended integrations, and unrevoked machine credentials create long-tail exposure that spreadsheets rarely capture. Practitioners should treat offboarding as a credential and access closure process, not a contract administration step.

Agentic AI can reduce vendor risk only if it is constrained by defensible identity data. Automated evidence collection and criteria-based review may improve consistency, but agentic systems still depend on the quality of the underlying inventories, access records, and policy definitions. If those inputs are fragmented, automation simply scales inconsistency faster. Practitioners should use automation to enforce lifecycle controls, not to conceal missing ownership or incomplete offboarding.

Third-party governance now overlaps with NHI governance wherever vendors use machine credentials. The article’s focus on access, monitoring, and offboarding maps directly to service accounts, API keys, tokens, and certificates that belong to vendors or integrations. That is the boundary where vendor risk and non-human identity risk converge. Practitioners should include vendor-issued machine credentials in the same governance model they use for internal NHIs.

What this signals

Lifecycle assurance debt: as vendor ecosystems grow, the gap between approved access and current access becomes a standing governance liability. Security teams should expect this to show up first in stale approvals, missing ownership, and unclear offboarding evidence, especially where vendor integrations depend on machine credentials.

If your third-party programme cannot tell you which vendor credentials are live today, it is already operating with blind trust. The practical response is to unify procurement records, access records, and offboarding records so that security review can follow the relationship instead of chasing spreadsheets.

Use the https://nhimg.org/nhi-lifecycle-management-guide discipline where third-party credentials behave like NHIs. That is the point where vendor risk management and identity governance stop being adjacent functions and become the same control surface.


For practitioners

  • Map every vendor to a live access inventory Build a current inventory of vendor relationships, integrations, and machine credentials so security, procurement, and legal work from the same source of truth. Include service accounts, API keys, OAuth grants, certificates, and any delegated access path used by the vendor.
  • Tie onboarding approval to explicit control ownership Require each approved vendor relationship to record the control owner, business owner, data scope, expiry condition, and revocation trigger before access is granted. If any field is missing, the vendor should not be treated as fully onboarded.
  • Replace annual review with continuous evidence checks Track changes in vendor posture, dependency scope, and incident signals throughout the contract period rather than waiting for a yearly questionnaire cycle. Use those signals to reopen risk decisions when conditions change.
  • Formalise offboarding as access closure Make termination a mandatory closure workflow that revokes human and machine access, removes integrations, confirms token invalidation, and verifies that no orphaned dependencies remain in production or test systems.
  • Bring vendor machine credentials into NHI governance Classify vendor-held or vendor-issued secrets under the same lifecycle controls used for internal non-human identities, including inventory, rotation, owner assignment, and revocation. This is where third-party risk and NHI risk converge.

Key takeaways

  • Vendor lifecycle fragmentation is an identity governance failure because access objects, not just contracts, determine residual exposure.
  • The scale problem is real: organisations manage hundreds of SaaS applications and third-party involvement now appears in a substantial share of breaches.
  • Security teams should shift from annual vendor review to continuous lifecycle evidence, with offboarding treated as access closure.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-01Vendor credentials and residual access map directly to unmanaged NHI inventory risk.
NIST CSF 2.0PR.AC-1Lifecycle access governance aligns with access control and identity management outcomes.
NIST SP 800-53 Rev 5IA-5Credential management is central when vendors use secrets, tokens, or certificates.
CIS Controls v8CIS-5 , Account ManagementVendor access persistence is fundamentally an account management problem.
MITRE ATT&CKTA0006 , Credential Access; TA0010 , ExfiltrationThird-party access abuse often leads from credential use to data exposure.

Map vendor access risk to credential access and exfiltration paths to prioritise monitoring.


Key terms

  • Vendor Lifecycle Visibility: Vendor lifecycle visibility is the ability to see a third-party relationship from intake through termination with enough context to govern access, risk, and evidence. It joins procurement, security, legal, and operations data so organisations can understand what access exists, who owns it, and whether it should still be active.
  • Residual Access: Residual access is any permission, integration, credential, or dependency that remains in place after the business need for it has ended. In third-party governance, it is one of the most important failure modes because it turns a closed contract into an open security path.
  • Non-Human Identity: A non-human identity is a machine or software identity used by services, integrations, workloads, bots, or AI systems to authenticate and access resources. It is governed like an identity object because it can be granted privilege, accumulate trust, and become a breach path when it is unmanaged.

What's in the full article

Drata's full article covers the operational detail this post intentionally leaves for the source:

  • The stage-by-stage vendor lifecycle model from intake through offboarding, including the operational questions used at each step.
  • The manual workflow pain points across security questionnaires, procurement handoffs, and audit evidence collection.
  • The article's agentic AI workflow concept for unifying vendor data and criteria-based review at scale.
  • The specific governance benefits Drata associates with executive alignment, continuous monitoring, and defensible audit narratives.

👉 Drata's full article covers lifecycle breakdown points, operational inefficiencies, and offboarding exposure in more detail.

Deepen your knowledge

NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, identity lifecycle, secrets management, and workload identity. It is designed for practitioners who need to connect identity controls to operational governance across human and non-human access.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-04-28.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org