Notifications
Clear all
Topic starter
25/06/2026 5:21 pm
TL;DR: Identity security now spans three expanding control surfaces—third-party identities, cloud entitlements, and unstructured data access—according to SailPoint. The practical signal is that IAM programmes must extend lifecycle and access controls beyond employees or they will miss the identities now carrying real operational risk.
NHIMG editorial — based on content published by SailPoint: Blog roping in identity security threats with SailPoint solutions
By the numbers:
- 67% of businesses surveyed said their company’s success depends on contractors.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
Questions worth separating out
Q: How should security teams govern contractor and vendor access without losing oversight?
A: Treat non-employee access as a lifecycle process, not a one-time approval.
Q: Why do cloud entitlements create governance gaps in IAM programmes?
A: Cloud permissions often change faster than application roles and are spread across multiple platforms, which makes them easy to miss during standard access reviews.
Q: What do organisations get wrong about unstructured data access?
A: They often certify user accounts without tracing those accounts to the files, repositories, and collaboration spaces they can actually reach.
Practitioner guidance
- Define a single non-employee governance workflow Assign sponsors, review cadence, and offboarding triggers for contractors, vendors, and partners so external access does not rely on ad hoc manual cleanup.
- Pull cloud entitlements into identity reviews Link AWS, Azure, and GCP permission discovery to access certification so excessive rights are visible in the same control process as application access.
- Extend certification to sensitive data repositories Include file shares, collaboration platforms, and data stores in access reviews so unstructured data permissions are governed alongside accounts and roles.
What's in the full article
SailPoint's full blog covers the operational detail this post intentionally leaves for the source:
- How SailPoint positions Non-Employee Risk Management for contractor and supplier governance workflows
- How SailPoint CIEM is described across Azure, AWS, and GCP entitlement discovery and remediation
- How SailPoint Data Access Security is intended to extend governance into unstructured data and monitoring
- The specific integrations and rollout timing that matter once an IAM team moves from strategy to implementation
👉 Read SailPoint's blog on non-employee risk, CIEM, and data access security →
Third-party identities and cloud entitlements: what should IAM teams change?
Explore further
25/06/2026 5:59 pm
Non-employee access is no longer a side programme. The article correctly treats contractors, vendors, and service providers as part of the identity estate, not as exceptions. That is where most IAM programmes still under-invest, because they assume employee-centric controls will scale to external identities. The governance consequence is that sponsorship, review, and offboarding must be designed for identities that are business-critical but not employee-owned. Practitioners should treat non-employee identity as a first-class governance domain.
A few things that frame the scale:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, which is why lifecycle ownership matters as much as discovery in identity programmes.
A question worth separating out:
Q: Who is accountable when third-party access remains after the business need ends?
A: The business sponsor and the access owner are accountable, not the identity team alone. IAM can provide workflow and visibility, but revocation only happens when ownership is explicit and review outcomes are enforced. Without that accountability, third-party access becomes standing risk.
👉 Read our full editorial: Identity security for third parties, cloud entitlements, and data access
