Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Third-party risk and shadow AI: what CISOs should re-evaluate


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: Third-party dependencies now account for over 35% of data breaches and more than 40% of ransomware starts, according to SecurityScorecard, while AI and shadow AI are lowering attacker effort and widening exposure across enterprise workflows. The governance challenge is no longer internal control alone, but visibility and accountability across the extended digital supply chain.

NHIMG editorial — based on content published by SecurityScorecard: Dr. Aleksandr Yampolskiy on how AI and third-party risks are redefining the CISO's role

By the numbers:

Questions worth separating out

Q: What breaks when third-party access is treated as separate from identity governance?

A: Security teams lose visibility into who can still authenticate, what they can reach, and whether access was ever removed when the relationship changed.

Q: Why does shadow AI create governance risk even when users are not malicious?

A: Because users can move sensitive data into tools the organisation cannot inventory, monitor, or revoke.

Q: How do organisations know if third-party risk controls are actually working?

A: Look for evidence that external access is inventoried, time-bound, and removed promptly when no longer needed.

Practitioner guidance

  • Inventory external trust paths Document every vendor, partner, and supplier connection that can authenticate into systems, exchange data, or trigger privileged actions.
  • Separate approved AI use from shadow AI Publish clear rules for sanctioned AI tools, then block or monitor unsanctioned services that can receive confidential content.
  • Tighten verification for high-risk requests Require stronger confirmation for payment changes, access grants, supplier onboarding, and executive instructions.

What's in the full article

SecurityScorecard's full article covers the operational detail this post intentionally leaves for the source:

  • The panel discussion on how CISOs should communicate risk to boards and audit committees.
  • The full third-party risk commentary behind the 35% breach and 40% ransomware figures.
  • SecurityScorecard's perspective on shadow AI, deepfakes, and the operational impact on enterprise security programmes.
  • The closing remarks on trusted KPIs and how organisations can benchmark cyber exposure across their ecosystem.

👉 Read SecurityScorecard's analysis of third-party risk, shadow AI, and the CISO role →

Third-party risk and shadow AI: what CISOs should re-evaluate?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

Third-party risk has become an identity governance problem, not just a procurement problem. Security teams often treat supplier risk as a questionnaire and scorecard exercise, but the real control issue is who can authenticate, authorise, and move data through trusted relationships. That is where access governance, credential lifecycle management, and third-party offboarding matter most. Practitioners should treat external access as part of the identity perimeter, not an exception to it.

A question worth separating out:

Q: Who is accountable when AI-assisted impersonation or supplier abuse causes an incident?

A: Accountability sits with the security leadership, the business owner of the relationship, and the teams responsible for identity, access, and vendor oversight. Frameworks such as NIST CSF and NIST SP 800-53 expect clear ownership of risk, not shared ambiguity. Boards should demand exposure reporting, not just activity metrics.

👉 Read our full editorial: Third-party and AI risk are reshaping the CISO mandate



   
ReplyQuote
Share: