Notifications
Clear all
Topic starter
25/06/2026 5:23 pm
TL;DR: Near-certainty verification for contractors, vendors, and partners still leaves meaningful exposure at enterprise scale, especially as deepfakes and weaker vetting make impersonation easier, according to SailPoint. The operational problem is not onboarding speed, but whether identity assurance is strong enough to withstand third-party access, audit pressure, and fraud.
NHIMG editorial — based on content published by SailPoint: Beyond 98%: Achieving certainty in non-employee identity security
By the numbers:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: How should security teams verify non-employee identities before granting access?
A: Security teams should set verification requirements based on the sensitivity of the access, not on a single corporate standard.
Q: When does near-certainty in identity verification become too risky?
A: Near-certainty becomes too risky when the residual failure rate is multiplied across large numbers of non-employee identities or sensitive systems.
Q: What do organisations get wrong about non-employee identity assurance?
A: Many organisations treat onboarding proofing as a one-time validation event instead of a lifecycle control.
Practitioner guidance
- Set assurance thresholds by access sensitivity Define different identity proofing requirements for low-risk, standard, and privileged non-employee access.
- Tie proofing strength to sponsor accountability Make the business sponsor responsible for confirming that the proofing level matches the access request.
- Reassess third-party onboarding against impersonation risk Review whether current checks still stand up when deepfake-style deception is added to the threat model.
What's in the full article
SailPoint's full blog covers the operational detail this post intentionally leaves for the source:
- How SailPoint's non-employee risk management workflow handles identity verification at onboarding.
- The specific acceptance-criteria model for choosing which digital credentials are trusted.
- Provider integration options that support existing security and compliance requirements.
- User-experience considerations for reducing friction while raising assurance.
👉 Read SailPoint's blog on non-employee identity certainty and verification risk →
Non-employee identity verification: where does 98% still fail?
Explore further
25/06/2026 6:01 pm
Near-certainty is not a governance model: The article exposes the false premise that a 98% verification rate is sufficient for non-employee access. That assumption fails because identity risk is multiplicative at scale, and even a small residual error rate becomes operationally meaningful across contractors, vendors, and partners. The implication is that assurance thresholds must be tied to exposure, not marketed as broadly acceptable.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows how often identity governance starts with incomplete inventory rather than complete control.
A question worth separating out:
Q: Who is accountable when a contractor or vendor is misidentified?
A: Accountability usually sits with the organisation that granted access, even if a third-party provider handled part of the verification process. Security, IAM, and business sponsors all need defined roles so that the trust decision is traceable and reviewable after the fact.
👉 Read our full editorial: Non-employee identity certainty is still a governance problem
