Notifications
Clear all
Topic starter
25/06/2026 3:13 pm
TL;DR: Manufacturers face expanding third-party access risk as attackers exploit shared vendor credentials, weak oversight, and broad permissions, with 47% of organisations reporting a vendor-driven attack in the past year according to Imprivata and Ponemon Institute. The core issue is that traditional PAM assumes internal trust boundaries that vendor access does not have.
NHIMG editorial — based on content published by Imprivata: securing third-party access in manufacturing with vendor privileged access management
By the numbers:
Questions worth separating out
Q: How should manufacturers govern third-party privileged access?
A: Manufacturers should govern third-party privileged access with task-specific entitlements, named accounts, delegated approval, and session recording.
Q: Why do shared vendor credentials increase risk in manufacturing environments?
A: Shared vendor credentials increase risk because they destroy accountability and make it impossible to know which person used the access at any moment.
Q: What breaks when organisations extend internal PAM to external vendors?
A: What breaks is the assumption that the enterprise controls the full identity lifecycle.
Practitioner guidance
- Build a complete vendor access inventory Identify every external party with access to production, OT, or sensitive engineering systems, including subcontractors and legacy accounts that may no longer be actively managed.
- Replace shared vendor credentials with named access paths Eliminate account sharing inside supplier teams and require individually attributable access with approvals, so activity can be traced back to a specific person and task.
- Enforce task-specific and time-bound vendor access Limit each external session to the minimum systems and duration required for the job, then revoke access as soon as the maintenance or support task ends.
What's in the full article
Imprivata's full article covers the operational detail this post intentionally leaves for the source:
- The four vendor PAM shortcomings the vendor uses to frame the manufacturing access problem.
- The vendor access workflow elements, including self-registration, delegated approvals, and routing logic.
- The practical checklist for identifying vendor inventory, auditing access points, and tiering controls by risk level.
- The article's manufacturing-specific examples of how vendor privileged access supports uptime, compliance, and production resilience.
👉 Read Imprivata's analysis of vendor privileged access management for manufacturing →
Third-party access in manufacturing: what IAM teams are missing?
Explore further
25/06/2026 4:36 pm
Vendor access is not a PAM variant, it is a separate governance problem. Traditional PAM assumes the organisation owns the identity lifecycle, the endpoint, and the approval chain. That assumption fails when the subject is a vendor account used by external staff the enterprise does not manage. The implication is that manufacturers need a distinct governance model for external privileged access, not a repackaged internal one.
A few things that frame the scale:
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, including 46% confirmed and 26% suspected.
A question worth separating out:
Q: Who is accountable for vendor access failures in manufacturing?
A: Accountability should sit with the organisation that granted the access and owns the systems being accessed, even when a vendor is the user. If third-party access is not inventoried, approved, and reviewed, the failure is a governance failure, not just a vendor issue. Manufacturing teams should map accountability to each access path and review it as part of privileged access governance.
👉 Read our full editorial: Vendor privileged access management for manufacturing risk
