Notifications
Clear all
Topic starter
28/05/2026 11:38 am
TL;DR: Third-party compromise remains a practical route into enterprise environments, and the Sisense breach example underscores how supply chain exposure can cascade into identity and data risk, according to Saviynt. The lesson is that governance must extend beyond direct systems of record to the external services and credentials that can reach them.
NHIMG editorial — based on content published by Saviynt covering the Sisense breach and supply chain attack risk
Questions worth separating out
Q: How should security teams govern third-party access in identity programs?
A: Treat third-party access as a managed identity relationship with an owner, scope, expiry, and revocation process.
Q: Why do supply chain attacks matter to NHI governance?
A: Because many supply chain compromises succeed through non-human identities, such as integrations, tokens, and service accounts, rather than through a user login.
Q: What is the difference between third-party risk management and NHI governance?
A: Third-party risk management asks whether a supplier should be trusted at all, while NHI governance asks how that trust is technically expressed and constrained.
Practitioner guidance
- Inventory every external trust path Build a register of vendors, integrations, service accounts, and delegated tokens that can reach sensitive systems.
- Shorten the lifetime of supplier credentials Replace long-lived API keys and shared secrets with short-duration credentials where possible, and rotate any remaining secrets on a fixed schedule tied to business need.
- Test revocation before an incident forces it Run exercises that remove access from a third-party integration and verify that applications, pipelines, and support processes fail closed rather than silently retaining access.
The organisations that can answer that question fastest will be better positioned to absorb supply chain incidents without losing control of the downstream environment?
👉 Read Saviynt's coverage of the Sisense supply chain breach →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
28/05/2026 11:42 am
Supply chain risk is now an identity governance problem, not a vendor management sidebar. The operational reality is that external services often hold the same practical authority as internal accounts. That means IAM and NHI programmes have to govern trust boundaries, not just credentials. Practitioners should treat third-party access as a living identity relationship, not a procurement artifact.
A few things that frame the scale:
- The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
Q: How can teams reduce blast radius from vendor integrations?
A: Limit each integration to the smallest viable scope, give it a short validity window, and attach an explicit owner who can revoke it quickly. Then test what happens when the integration is disabled so you know whether dependent systems fail safely. Those steps make blast radius measurable and controllable.
👉 Read our full editorial: Supply chain attacks are exposing the limits of identity controls
