TL;DR: Third-party and fourth-party access often becomes a blind spot because organisations cannot consistently see what vendors touch, when they touch it, or whether their own controls extend downstream, according to Imprivata. The governance gap is not remote access itself, but the lack of lifecycle control, auditability, and minimum necessary access across the vendor chain.
NHIMG editorial — based on content published by Imprivata: third-party remote access risks and best practices for mitigating them
By the numbers:
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
Questions worth separating out
Q: How should security teams govern third-party remote access in practice?
A: Treat third-party remote access as a governed identity path, not a networking exception.
Q: Why do fourth-party vendors increase access risk so quickly?
A: Fourth-party relationships extend your trust boundary beyond the supplier you contract with.
Q: What breaks when vendor access is broader than the business purpose?
A: Least privilege stops working as a meaningful control when vendor connectivity is broad enough to outstrip the task being performed.
Practitioner guidance
- Build a third-party risk map Map systems, data flows, and external touchpoints so you can identify which vendor relationships need deeper assessment, tighter controls, and stronger evidence collection.
- Set pass-through contractual obligations Require vendors to flow security requirements down to their own suppliers, including audit rights, limitation of liability, and indemnity clauses that reflect downstream exposure.
- Move vendor access beyond VPN dependence Use purpose-driven, time-bound access patterns with minimum necessary permissions instead of broad remote connectivity that cannot be linked cleanly to business need.
What's in the full article
Imprivata's full blog covers the operational detail this post intentionally leaves for the source:
- The full eight-step vendor access checklist, including due diligence, contractual clauses, and offboarding practices.
- Practical guidance on documenting compliance obligations and setting pass-through requirements for fourth parties.
- Operational detail on access audits, session traceability, and how to align expiration dates with contract timelines.
- The vendor's perspective on purpose-driven remote access controls beyond VPN-based connectivity.
👉 Read Imprivata's analysis of third-party and fourth-party remote access risk →
Third-party remote access and fourth-party risk: are controls keeping up?
Explore further
Third-party access is still identity access, and it fails when organisations treat vendors as outside the IAM model. The article correctly identifies that too much trust is often placed in vendor security posture, but the deeper problem is that third-party reach commonly escapes the lifecycle and entitlement discipline applied to internal users. That creates a governance gap across PAM, access reviews, and offboarding. Practitioners should treat vendor identities as governed identities, not exceptional connections.
A few things that frame the scale:
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows how often external access governance is built on partial inventory.
A question worth separating out:
Q: Who is accountable when a vendor keeps access after offboarding?
A: Accountability is shared, but the organisation that granted access remains responsible for making sure it ends. Contracts should define expiry, audits should confirm revocation, and lifecycle processes should remove dormant access. If offboarding is not enforced technically, the access remains active regardless of intent.
👉 Read our full editorial: Third-party remote access risk is a fourth-party governance problem