Notifications
Clear all
Topic starter
06/06/2026 11:15 am
TL;DR: Third-party access remains a common breach path because many organisations still rely on shared accounts, weak MFA, broad vendor permissions, and inconsistent offboarding, according to Imprivata’s analysis of Change Healthcare, Target, and current access patterns. The core problem is not just access sprawl but governance that assumes vendor identities are stable, observable, and easy to re-certify.
NHIMG editorial — based on content published by Imprivata: third-party access management, breach lessons, and best practices for reducing vendor access risk
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities - 46% confirmed, 26% suspected.
Questions worth separating out
Q: How should security teams manage third-party access without creating vendor friction?
A: Start by assigning a single owner for every vendor relationship, then scope access to specific systems, tasks, and expiry dates.
Q: Why do vendor accounts create higher breach risk than internal user accounts?
A: Vendor accounts often combine external connectivity, broad permissions, and weaker lifecycle oversight, which makes them attractive to attackers and hard to govern.
Q: What breaks when third-party access reviews are handled manually?
A: Manual reviews fail when they depend on people remembering contract status, usage history, and offboarding steps.
Practitioner guidance
- Map every vendor identity to a named business owner Create a living inventory of each third-party user, what systems they can reach, and which internal owner approves that access.
- Replace shared vendor logins with unique named accounts Require a distinct identity for each external worker so approvals, logs, and offboarding remain traceable.
- Enforce phishing-resistant MFA and session checks Combine strong MFA with device posture, conditional access, and session monitoring so valid credentials are not enough on their own.
What's in the full article
Imprivata's full blog covers the operational detail this post intentionally leaves for the source:
- Step-by-step third-party access management controls for healthcare, manufacturing, and financial services environments.
- Specific examples of how Zero Standing Privilege changes vendor approval and revocation workflows.
- Operational guidance on logging vendor sessions, access events, and privileged changes for incident response.
- The article's discussion of AI-driven phishing and token theft trends that pressure current identity controls.
👉 Read Imprivata's analysis of third-party access management and breach risk →
Third-party access management: what IAM teams need to fix now?
Explore further
06/06/2026 11:56 am
Third-party access is really unmanaged identity lifecycle risk. The article shows that the hardest part is not granting access, but keeping ownership, authentication, review, and offboarding aligned across vendor relationships. When those controls fragment across IT, security, procurement, and the business, the result is not just access sprawl but a lifecycle that no one fully governs. Practitioners should treat vendor access as a governed identity population, not a temporary exception.
A few things that frame the scale:
- The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to Oasis Security & ESG.
A question worth separating out:
Q: Who is accountable when a vendor account is used in a breach?
A: Accountability should sit with the internal business owner for the vendor relationship, supported by security and procurement. If no one owns the lifecycle end to end, the organization cannot prove who approved, who reviewed, or who removed access. Frameworks such as NIST CSF and Zero Trust expect clear ownership and controlled access.
👉 Read our full editorial: Third-party access management still fails on basic identity controls
