Notifications
Clear all
Topic starter
25/06/2026 2:54 pm
TL;DR: Third-party remote access is now a material breach path, with 47% of organisations reporting a vendor-network incident in the past year and 64% expecting these breaches to stay flat or rise, according to Imprivata’s cited analyst findings. Vendor access governance is failing where visibility, ownership, and least privilege are weakest, not where tooling is absent.
NHIMG editorial — based on content published by Imprivata: third-party remote access risk and vendor privileged access management best practices
By the numbers:
- 47% of organizations experiencing a breach involving vendor network access in the past year.
- 64% expect these breaches to increase or remain constant over the next year.
Questions worth separating out
Q: What breaks when third-party access is not tightly governed?
A: When third-party access is not tightly governed, organisations lose visibility into who is connected, what they can reach, and whether the access still matches the task.
Q: Why do vendor accounts increase breach risk in privileged environments?
A: Vendor accounts increase breach risk because they often have more access than necessary and are monitored less consistently than employee identities.
Q: How do security teams know if third-party access governance is working?
A: A third-party access programme is working when the organisation can answer three questions quickly: who has access, why they have it, and when it will expire.
Practitioner guidance
- Enforce task-bound vendor access Grant third-party access only for a named business purpose, with explicit expiry and the minimum reachable systems required to complete the task.
- Require named identity attribution Prohibit generic shared vendor accounts and ensure every session is tied to an individual identity, recorded activity, and business sponsor.
- Build a complete vendor access inventory Maintain a current register of every external identity, the systems it can reach, the owner approving it, and the dates on which it must be reviewed.
What's in the full article
Imprivata's full article covers the operational detail this post intentionally leaves for the source:
- Five practitioner questions answered in sequence, including the survey-backed evidence behind each risk statement.
- Specific third-party access best practices such as vetting, auditing, delegation, and session accountability.
- The cited 2025 analyst findings on breach frequency, weak points, and budget or oversight constraints.
- Guidance on choosing purpose-built vendor privileged access management over generic internal PAM use cases.
👉 Read Imprivata's analysis of third-party remote access risk and vendor PAM practices →
Third-party access risks: what IAM teams need to act on?
Explore further
25/06/2026 4:07 pm
Third-party access is an identity governance problem, not just a supplier risk. The article shows that vendor connectivity becomes exploitable when identity, privilege, and session control are treated as exceptions. That places the issue squarely in IAM and PAM, with lifecycle discipline extending to every external account and approval path. Practitioners should stop treating vendor access as an ad hoc support arrangement and govern it as a formal identity class.
A few things that frame the scale:
- 33% of breaches were the result of a third-party partner having too much privileged access, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, which helps explain why external access often outlives the controls meant to constrain it.
A question worth separating out:
Q: Who is accountable when a vendor access incident occurs?
A: Accountability should sit with the business owner who approved the access, the security team that defined the controls, and the vendor relationship owner who can confirm the ongoing need. If a shared account or informal approval process was used, accountability becomes diffuse, which is exactly why attribution and sponsorship must be explicit before access is granted.
👉 Read our full editorial: Third-party access is exposing weak spots in privileged governance
