TL;DR: Supply chain risk now extends through vendors, vendors’ vendors, and shadow AI, with SecurityScorecard’s CEO warning that a small cluster of providers supports a large share of the global attack surface. Compliance alone no longer maps to resilience, and continuous monitoring plus objective cyber KPIs are becoming central to systemic risk management.
NHIMG editorial — based on content published by SecurityScorecard: the Cyber Focus podcast discussion on third-, fourth-, and fifth-party risk
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities , 46% confirmed, 26% suspected.
Questions worth separating out
Q: How should security teams govern third-party access in identity programs?
A: Treat third-party access as a managed identity relationship with an owner, scope, expiry, and revocation process.
Q: Why do shadow AI tools create identity governance risk?
A: Shadow AI is risky because users often reach those tools through identities, browser sessions, or tokens that were never assessed for data handling or access scope.
Q: What breaks when supplier visibility stops at the first tier?
A: Security teams lose sight of the systems and services that vendors themselves depend on, which is where many cascading failures emerge.
Practitioner guidance
- Inventory indirect trust chains Build a living map of third-, fourth-, and fifth-party dependencies, including the systems, connectors, and business processes those parties can reach.
- Classify shadow AI as an access risk Require discovery, approval, and revocation controls for any AI tool that can ingest enterprise data or connect to sanctioned systems.
- Measure supplier control effectiveness continuously Track metrics such as mean time to revoke external access, percentage of suppliers with validated monitoring evidence, and number of dormant integrations still active.
What's in the full article
SecurityScorecard's full podcast coverage leaves the operational detail for the source:
- How SecurityScorecard suggests measuring third-, fourth-, and fifth-party exposure with objective cyber KPIs
- Discussion of continuous monitoring practices for supplier ecosystems and how they support resilience reporting
- The podcast's broader commentary on compliance versus security, including the audit gap that leaves risk hidden
- Practical examples of how organisations can improve collaboration with suppliers when trust chains are difficult to see
👉 Listen to SecurityScorecard's podcast analysis of third-, fourth-, and fifth-party risk →
Third-party risk, shadow AI, and the governance gap teams are missing?
Explore further
Third-party risk is now an identity problem, not just a procurement problem. When external services can reach production systems, data stores, and AI workflows, the governance question is who or what is allowed to act on behalf of the enterprise. That makes inherited access, delegated trust, and third-party lifecycle control part of IAM and NHI governance rather than a separate vendor-risk exercise. Practitioners should treat external identity pathways as first-class control objects.
A question worth separating out:
Q: Who is accountable when external access is left active after a supplier relationship changes?
A: Accountability should sit with the business owner of the relationship, the IAM or NHI control owner, and the security function that validates removal. External access must be governed as lifecycle data, not a one-time approval. Without that shared accountability, dormant tokens and third-party accounts tend to survive long after the business need ends.
👉 Read our full editorial: Third-, fourth- and fifth-party risk is reshaping cyber exposure