Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

MaRisk outsourcing governance: are your identity controls ready?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: MaRisk and DORA together push German financial institutions to prove that outsourced IT and cloud services remain governable through strong identity, access, and audit controls, with AT 9 placing access rights, sub-outsourcing, and exit scenarios under scrutiny according to Imprivata. The real issue is not documentation volume but whether governance can still constrain privileged access, trace accountability, and keep control after outsourcing expands.

NHIMG editorial — based on content published by Imprivata: MaRisk and DORA outsourcing governance with identity controls

Questions worth separating out

Q: What breaks when outsourced access is not tied to identity lifecycle management?

A: The control model breaks first, because the institution can no longer prove that access follows the contract lifecycle.

Q: Why do MaRisk and DORA make privileged access a governance issue?

A: Because privileged access is where delegated responsibility becomes operational power.

Q: How should banks measure whether outsourcing controls are actually working?

A: They should measure the gap between registered outsourcing relationships and the identities still able to act inside the environment.

Practitioner guidance

  • Reconcile outsourced services to live identities Inventory every privileged account, service account, API key, and certificate tied to outsourced functions, then map each one to a business owner and termination path.
  • Tie access reviews to outsourcing criticality Increase review frequency and evidence depth for critical and important functions, and require reviewers to confirm current access, not just contract status.
  • Test exit and revocation before renewal Run exit exercises that remove provider access from production, validate revocation of delegated credentials, and confirm the service still meets recovery expectations.

What's in the full article

Imprivata's full article covers the operational detail this post intentionally leaves for the source:

  • BaFin and Bundesbank references for the MaRisk lifecycle and supervisory context
  • Practical notes on AT 9, AT 8.1, and AT 8.2 as they relate to outsourcing and change control
  • The article's treatment of DORA, including why identity controls sit inside the broader resilience regime
  • Examples of audit-ready identity and access controls in regulated outsourcing programmes

👉 Read Imprivata's analysis of MaRisk, DORA, and identity controls in outsourcing →

MaRisk outsourcing governance: are your identity controls ready?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

AT 9 outsourcing governance is really a control-of-access problem disguised as a contract problem. The article is right to emphasise steering ability, but the exam question is whether outsourced activity remains governable once access leaves the institution. That is why identity, privileged access, and audit evidence become the operational proof of MaRisk compliance. Practitioners should treat every outsourcing relationship as an identity governance boundary, not just a vendor-management entry.

A few things that frame the scale:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.

A question worth separating out:

Q: Who is accountable when a third party retains access after offboarding?

A: Accountability remains with the institution that owns the outsourcing relationship, even if the third party still holds the credentials. MaRisk places governance responsibility on the regulated entity, so offboarding failures are control failures for the bank or insurer, not a reason to defer responsibility to the provider.

👉 Read our full editorial: MaRisk and DORA make identity controls central to outsourcing governance



   
ReplyQuote
Share: