TL;DR: Third-party risk now spans cybersecurity, compliance, operational, financial, reputational, strategic, geopolitical, and AI governance exposure, while downstream fourth-party dependencies can still affect the organisation, according to OneTrust. Continuous monitoring matters because periodic questionnaires miss changing vendor postures and hidden supply-chain risk.
NHIMG editorial — based on content published by OneTrust: What Are the Types of Third-Party Risks?
Questions worth separating out
Q: How should security teams govern vendor access as part of third-party risk management?
A: Treat every vendor account, token, and API connection as governed identity.
Q: Why do fourth-party dependencies create risk that standard vendor reviews miss?
A: Because your supplier may rely on cloud services, subprocessors, or AI providers that you never assess directly.
Q: What do organisations get wrong about annual vendor assessments?
A: They treat risk as static.
Practitioner guidance
- Map external identities to business relationships Inventory vendor accounts, OAuth grants, API tokens, certificates, and shared service access, then bind each one to a business owner, purpose, and revocation path.
- Extend due diligence to downstream dependencies Ask critical vendors to disclose major subcontractors, cloud dependencies, and AI service providers so you can assess concentration risk and hidden failure points.
- Add AI usage questions to vendor reviews Require vendors to document whether AI is used in processing, decisioning, or service delivery, and whether human review exists for material outputs.
What's in the full article
OneTrust's full blog covers the operational detail this post intentionally leaves for the source:
- A breakdown of the eight third-party risk categories the vendor uses in its TPRM model.
- Examples of how AI governance, compliance, and supply-chain dependency checks fit into one vendor review process.
- The vendor’s guidance on continuous monitoring across the relationship lifecycle.
- Practical framing for security, legal, and compliance teams that need to coordinate on third-party oversight.
👉 Read OneTrust's overview of third-party risks, AI governance, and extended supply-chain exposure →
Third-party and fourth-party risk: what IAM teams need to watch?
Explore further
Third-party risk is now an identity governance problem, not just a vendor management problem. Once external parties receive access to systems, data, or workflows, the organisation inherits the lifecycle burden around approval, scope, review, and revocation. That burden is identical in shape to IAM and NHI governance, even when procurement owns the contract. Practitioners should treat vendor access as governed identity, not as a spreadsheet field.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to the State of Non-Human Identity Security.
- A separate finding shows that only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared with nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: Who is accountable when a third party introduces compliance or AI governance risk?
A: The organisation that engaged the third party remains accountable for many of the resulting obligations, even when the vendor performed the activity. That is why contracts, oversight, and evidence collection must be built into vendor governance from the start, not added after an incident.
👉 Read our full editorial: Third-party risk now includes AI governance, fourth-party exposure