Notifications
Clear all
Topic starter
06/06/2026 11:20 am
TL;DR: Third-party risk management now sits at the intersection of cybersecurity, compliance, and identity governance as vendor access to cloud, SaaS, and outsourced services expands the enterprise attack surface, according to SecurEnds. The security issue is not vendor presence itself, but unmanaged permissions and weak lifecycle controls that let third parties outlive their legitimate access window.
NHIMG editorial — based on content published by SecurEnds: third-party risk management and identity governance for vendor access
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities.
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.
Questions worth separating out
Q: How should security teams govern vendor access in third-party risk management?
A: Security teams should govern vendor access as a lifecycle problem.
Q: Why do third-party accounts increase identity risk?
A: Third-party accounts increase risk because they often reach sensitive systems without the same day-to-day scrutiny as internal users.
Q: What breaks when vendor offboarding is not tightly controlled?
A: When vendor offboarding is weak, access survives after the business need ends.
Practitioner guidance
- Build a complete third-party identity inventory Track every vendor, contractor, integration, token, and service account in one place, with owner, purpose, data access, and expiry date recorded for each relationship.
- Tie access to contract lifecycle events Make onboarding, renewal, scope changes, and termination trigger access review and deprovisioning workflows across all systems, not just the primary application.
- Enforce least privilege on external accounts Remove broad permissions from vendor identities, assign only the minimum role required for the stated task, and require business justification for any exception.
What's in the full article
SecurEnds' full article covers the operational detail this post intentionally leaves for the source:
- The article’s step-by-step TPRM checklist for vendor background, certification, data protection, and subcontractor review.
- The section on how organisations score third-party risk across cybersecurity, compliance, operational, financial, and reputational dimensions.
- The practical lifecycle guidance on onboarding, access certification, and vendor offboarding across the vendor relationship.
- The article’s discussion of tools and software for automating third-party management workflows.
👉 Read SecurEnds' guide to third-party risk management and vendor access governance →
Third-party risk management and vendor access: what IAM teams miss?
Explore further
06/06/2026 12:04 pm
Third-party risk management fails when organisations treat vendor access as a static approval rather than a living identity relationship. The article’s lifecycle emphasis is correct, but the deeper point is that external identities age just like internal ones. If onboarding is visible and offboarding is weak, access becomes detached from the business reason it was granted. Practitioners should read this as a governance failure in the identity lifecycle, not as a procurement deficiency.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- The same study found that enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.
A question worth separating out:
Q: Who is accountable when a third-party vendor keeps access after a contract ends?
A: The organisation that granted the access remains accountable, even if the vendor failed to request removal. Security, procurement, and application owners all share responsibility for making sure revocation happens across every connected system, because retained access is still retained risk.
👉 Read our full editorial: Third-party risk management is becoming identity governance
