Notifications
Clear all
Topic starter
24/06/2026 6:51 pm
TL;DR: Third-party vendor access is driving lawsuits, breach disclosure disputes, and regulatory exposure as organisations fail to monitor outsourced identities, according to Unosecur’s analysis of Adidas, UCMC, and AT&T. The core issue is not outsourcing itself but the governance gap between access granted and access continuously verified.
NHIMG editorial — based on content published by Unosecur: Third-party access risks: 7 threat types and Zero-Trust mitigation best practices
Questions worth separating out
Q: What breaks when third-party access is not tightly governed?
A: When third-party access is loosely governed, organisations lose control over who can reach sensitive data, which permissions are still needed, and whether old accounts remain active after the work is done.
Q: Why do vendor identities create so much risk in cloud and support environments?
A: Vendor identities create risk because they often need broad, cross-system access to do real work, but that access is hard to verify continuously once the relationship begins.
Q: How do security teams know whether third-party access is actually under control?
A: Security teams know third-party access is under control when every external identity has a named owner, a narrow purpose, a review history, and a documented offboarding path.
Practitioner guidance
- Map every third-party identity to a named business owner Require each vendor account, service desk user, and support role to have a documented internal owner who can approve access, challenge exceptions, and validate removal when the relationship changes.
- Bind third-party access to task scope and expiry Issue vendor permissions only for the specific support function, environment, and duration required.
- Certify external access on a fixed review cadence Review third-party entitlements with the same rigour used for privileged internal access, including dormant accounts, broad group membership, and delegated admin rights.
What's in the full article
Unosecur's full blog covers the operational detail this post intentionally leaves for the source:
- A category-by-category breakdown of third-party identity risk types, including how each one maps to access, compliance, and supply-chain exposure.
- The vendor-facing mitigation patterns behind just-in-time access, entitlement review, and continuous monitoring in live environments.
- The practical control examples tied to IT service providers, contact centres, and outsourced support workflows.
- The article's own Zero Trust framing and implementation emphasis for external identities.
👉 Read Unosecur's analysis of third-party access risks and Zero Trust mitigation →
Third-party access risks: what IAM teams are missing?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
25/06/2026 3:51 am
Third-party access is now a lifecycle problem, not a vendor-management side issue. The lawsuits discussed in this post show what happens when external identities are granted access but not governed with the same discipline as internal accounts. Entitlement scope, monitoring, and offboarding are all part of the same control chain. The practitioner takeaway is simple: if a vendor can still reach data after the business thinks the relationship changed, the lifecycle failed.
A few things that frame the scale:
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, including 46% that confirmed one and 26% that suspected one.
A question worth separating out:
Q: Who is accountable when a vendor breach exposes customer data?
A: Accountability usually sits with the organisation that granted the access, because regulators, customers, and courts look at whether oversight, monitoring, and revocation were adequate. The vendor may be the technical point of compromise, but the primary organisation is still responsible for proving that access was managed, reviewed, and removed when it should have been.
👉 Read our full editorial: Third-party access risks expose the gaps in zero-trust governance
