Notifications
Clear all
Topic starter
06/06/2026 11:19 am
TL;DR: Third-party risk management depends on structured onboarding, monitoring, access review, contracting, and offboarding, because vendors can expose sensitive systems and data if lifecycle controls are inconsistent, according to SecurEnds. The governance gap is not awareness but enforceable lifecycle discipline across access, contracts, and offboarding.
NHIMG editorial — based on content published by SecurEnds: The Third-Party Risk Management Lifecycle
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected.
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches.
Questions worth separating out
Q: How should security teams manage vendor access across the third-party lifecycle?
A: Security teams should manage vendor access as a governed lifecycle, not as a one-time approval.
Q: Why do third-party relationships create lasting identity risk?
A: Third-party relationships create lasting identity risk because permissions, tokens, and integrations often survive long after the original business need changes.
Q: What breaks when vendor offboarding is not enforced?
A: When vendor offboarding is not enforced, accounts remain active, integrations stay connected, and sensitive data may persist in systems the vendor no longer needs.
Practitioner guidance
- Centralise vendor inventory and ownership Create a single record for every third party with system access, data access, and an accountable internal owner.
- Bind access reviews to lifecycle events Trigger entitlement reviews when vendors are onboarded, scoped changes occur, contracts renew, or services change hands.
- Require verified offboarding evidence Do not close a vendor relationship until accounts are disabled, credentials are revoked, integrations are removed, and sensitive data is recovered or destroyed.
What's in the full article
SecurEnds' full article covers the operational detail this post intentionally leaves for the source:
- A stage-by-stage third-party risk lifecycle checklist for identification, assessment, onboarding, monitoring, and offboarding
- Practical examples of how contracts, security obligations, and access rules are set during vendor onboarding
- A walkthrough of common lifecycle management challenges such as manual assessment, limited visibility, and access sprawl
- Guidance on how automation can support monitoring and reporting across large vendor ecosystems
👉 Read SecurEnds' guide to the third-party risk management lifecycle →
Third-party risk lifecycle governance: what IAM teams miss?
Explore further
06/06/2026 12:03 pm
Lifecycle control is the real control plane for third-party risk. The article is right to frame vendor management as a sequence of identification, assessment, onboarding, monitoring, and offboarding. That sequence is what turns external access from an unmanaged dependency into a governed relationship. In identity terms, the control plane is not the contract by itself, but the ability to prove who has access, why they have it, and when that access ends. Practitioners should treat vendor lifecycle management as an operational identity discipline, not a procurement exercise.
A few things that frame the scale:
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to the 2025 State of NHIs and Secrets in Cybersecurity.
- 62% of all secrets are duplicated and stored in multiple locations, causing unnecessary redundancy and increasing the risk of accidental exposure.
A question worth separating out:
Q: Who is accountable for third-party access after a vendor contract ends?
A: Accountability should remain with the internal business owner, security team, and procurement function until all access is revoked and evidence is retained. A contract ending does not end identity risk. If no one is responsible for proving closure, the organisation has not actually offboarded the vendor.
👉 Read our full editorial: Third-party risk lifecycle governance for vendor access and offboarding
