Notifications
Clear all
Topic starter
14/05/2026 6:12 pm
TL;DR: Third-party and supply chain incidents continue to expose identity data, access paths, and connected systems, with Saviynt’s roundup pointing to recurring failures in delegated trust, exposed credentials, and weak control over external dependencies. The security issue is not isolated compromise but unmanaged identity reach across partner ecosystems.
NHIMG editorial — based on content published by Saviynt: Sisense breach highlights rise in major supply chain attacks
By the numbers:
- On 2025-04-15, Cisco said a hacker breached its multifactor authentication message provider on April 1, showing how a supplier can become an identity-related entry point.
- On 2025-04-09, Home Depot said a third-party SaaS misconfiguration contributed to a data breach, reinforcing how partner-side controls can create exposure.
Questions worth separating out
Q: How should security teams govern third-party identity access?
A: Security teams should inventory every external identity path, assign an internal owner, and apply scope, expiry, and revocation rules to each connection.
Q: What is the difference between vendor risk management and identity governance?
A: Vendor risk management asks whether a supplier is acceptable overall.
Q: When does a third-party integration become a security liability?
A: A third-party integration becomes a liability when it can store, forward, or validate secrets without tight scoping and regular review.
Practitioner guidance
- Map external identity dependencies end to end Document every supplier, SaaS app, and support workflow that can issue, relay, or validate credentials, then assign an internal owner for each path.
- Review delegated access on a fixed cadence Re-certify partner privileges, service accounts, and tokens on a schedule that reflects business risk, not contract renewal cycles.
- Shorten the lifetime of shared secrets Replace standing credentials with scoped, expiring access wherever possible, and track rotation exceptions as governance defects.
When a partner can touch secrets, session data, or authentication workflows, the relationship needs the same lifecycle controls as an internal NHI?
👉 Read Saviynt's roundup of supply chain breaches and identity risk →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
14/05/2026 6:13 pm
Third-party compromise is now an identity governance issue, not a vendor management issue. Modern enterprises rely on external systems to store, validate, or forward authentication data, which means breach containment depends on identity controls that extend beyond the perimeter. Procurement checks do not address standing trust, and contracts do not reduce token exposure. Practitioners should treat every external trust relationship as an identity control with an owner, scope, and expiry.
A few things that frame the scale:
- The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
Q: Why do supply chain breaches matter to NHI programs?
A: Supply chain breaches matter because many partner connections rely on non-human identities such as API keys, tokens, certificates, and service accounts. If those identities are broad or persistent, a supplier compromise can expose more than one system. NHI programs are responsible for shrinking that trust surface before attackers exploit it.
👉 Read our full editorial: Third-party supply chain breaches expose identity governance gaps
