Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Vendor lifecycle visibility gaps: what security teams need to fix


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: Third-party involvement appeared in 30% of breaches in the 2025 DBIR, up from 15% the year before, while the average company now manages 305 SaaS applications and often tracks them with spreadsheets and manual reviews, according to Zylo and Verizon. Lifecycle-wide visibility, not point-in-time questionnaires, is now the control that determines whether vendor risk stays bounded or becomes persistent.

NHIMG editorial — based on content published by Drata: vendor lifecycle visibility gaps and third-party risk

By the numbers:

Questions worth separating out

Q: How should security teams govern vendor access across the full lifecycle?

A: Security teams should govern vendor access as a lifecycle control problem, not as a one-time approval.

Q: Why do third-party relationships often become identity risks?

A: Third-party relationships become identity risks because vendors are frequently granted service accounts, tokens, API keys, or delegated permissions that outlive the decision to use them.

Q: What breaks when vendor offboarding is treated as a paperwork task?

A: When offboarding is treated as paperwork, access often remains active after the contract ends.

Practitioner guidance

  • Map every vendor to a live access inventory Build a current inventory of vendor relationships, integrations, and machine credentials so security, procurement, and legal work from the same source of truth.
  • Tie onboarding approval to explicit control ownership Require each approved vendor relationship to record the control owner, business owner, data scope, expiry condition, and revocation trigger before access is granted.
  • Replace annual review with continuous evidence checks Track changes in vendor posture, dependency scope, and incident signals throughout the contract period rather than waiting for a yearly questionnaire cycle.

What's in the full article

Drata's full article covers the operational detail this post intentionally leaves for the source:

  • The stage-by-stage vendor lifecycle model from intake through offboarding, including the operational questions used at each step.
  • The manual workflow pain points across security questionnaires, procurement handoffs, and audit evidence collection.
  • The article's agentic AI workflow concept for unifying vendor data and criteria-based review at scale.
  • The specific governance benefits Drata associates with executive alignment, continuous monitoring, and defensible audit narratives.

👉 Read Drata's analysis of vendor lifecycle visibility gaps and third-party risk →

Vendor lifecycle visibility gaps: what security teams need to fix?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

Vendor lifecycle visibility has become an identity governance problem, not just a procurement problem. The article is right that fragmented inventories and manual questionnaires leave blind spots, but the deeper issue is that access created for a vendor often behaves like an unmanaged identity over time. When the lifecycle is not tied to owner, purpose, expiry, and revocation, the enterprise cannot prove who still has access. Practitioners should govern third-party relationships as living identity objects, not static records.

A question worth separating out:

Q: Which frameworks help organisations measure vendor lifecycle risk?

A: NIST Cybersecurity Framework 2.0 helps structure governance and continuous risk management, while OWASP Non-Human Identity Top 10 is useful when vendor access includes service accounts, keys, or tokens. Organisations should use both to connect lifecycle oversight with access control, revocation, and monitoring.

👉 Read our full editorial: Vendor lifecycle visibility gaps are expanding third-party risk



   
ReplyQuote
Share: