Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Third-party risk governance: are your controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: Third-party breaches now account for 30% of incidents in Verizon’s 2025 DBIR, while SecurityScorecard says 35.5% of breaches are linked to third-party access, showing that vendor ecosystems have become a primary attack path, according to Secureframe’s compiled statistics. The governance problem is no longer assessment volume alone but whether risk controls can see beyond direct vendors into the nth-party chain.

NHIMG editorial — based on content published by Secureframe: 100+ Essential Third-Party Risk Statistics and Trends [2026 Update]

By the numbers:

Questions worth separating out

Q: What breaks when third-party risk management does not cover external identities?

A: When third-party risk management ignores external identities, organisations lose control over who can actually authenticate, what they can access, and when that access should end.

Q: Why do third-party relationships create identity and access risk?

A: Third-party relationships create identity risk because external parties often receive real credentials or delegated access into sensitive systems.

Q: How do organisations know if their TPRM programme is actually working?

A: A TPRM programme is working when it can show current vendor inventory, current access scope, timely remediation, and reliable offboarding.

Practitioner guidance

  • Map third-party access to real identities and privileges Inventory every vendor, integration, service account, token, and API credential that can touch sensitive systems or data.
  • Extend governance to fourth-party and nth-party dependencies Require critical suppliers to disclose downstream processors, hosting providers, and embedded services, then validate those claims with evidence rather than contract language alone.
  • Measure TPRM maturity by control outcomes Track whether the program can actually block risky vendors, require compensating controls, and terminate access when needed.

What's in the full report

Secureframe's full blog covers the operational detail this post intentionally leaves for the source:

  • The full benchmark set across breach rates, staffing, maturity, assessment, monitoring, and automation trends.
  • The vendor-by-vendor statistic breakdown behind questionnaire use, tool adoption, and monitoring gaps.
  • The detailed TPRM best-practice and maturity sections for teams comparing their own program structure.
  • The specific third-party and nth-party figures that support board reporting and internal benchmarking.

👉 Read Secureframe’s 2026 third-party risk statistics and trends roundup →

Third-party risk governance: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

Third-party risk is now identity governance by another name. The article’s statistics show that vendor relationships are no longer just business dependencies, they are access dependencies. When external parties authenticate, sync data, or operate through API keys and tokens, IAM and PAM controls become part of the TPRM program. Practitioners should treat third-party access as a governed identity lifecycle, not a one-time assessment artifact.

A question worth separating out:

Q: Who is accountable when a third-party incident occurs?

A: Accountability should be shared but explicit. The business owner, security team, procurement, and legal function each have a role, but the policy must name who receives the incident report, who approves escalation, and who owns remediation follow-through. Without that structure, vendors can report events without anyone taking operational control.

👉 Read our full editorial: Third-party risk is shifting from vendor review to ecosystem governance



   
ReplyQuote
Share: