Notifications
Clear all
Topic starter
06/06/2026 2:30 am
TL;DR: Choosing a third-party risk management company is really about whether an organisation can keep vendor risk visible, measurable, and tied to compliance across a growing external ecosystem, according to SecurEnds. The core challenge is not software selection but whether the programme can integrate with IAM, SIEM, and GRC workflows without creating another manual oversight layer.
NHIMG editorial — based on content published by SecurEnds: how to choose a third-party risk management company
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should organisations choose a third-party risk management provider?
A: Start with the business problem you need to solve, then test whether the provider can support vendor scoring, continuous monitoring, remediation, and offboarding.
Q: Why do third-party vendors create identity and access risk?
A: Because vendors often receive access to systems, data, and workflows that were originally designed for internal users.
Q: What do security teams get wrong about TPRM automation?
A: They often assume automation replaces governance instead of accelerating it.
Practitioner guidance
- Map vendor access to identity lifecycle ownership Assign a named owner for onboarding, review, revocation, and evidence closure for every vendor that touches sensitive systems or data.
- Test integration depth before selecting a platform Verify that the provider can exchange data with IAM, SIEM, and GRC systems in a way that supports automated alerts and remediation routing.
- Require audit-ready reporting on exceptions Insist on reports that show which vendors are out of policy, who owns the exception, and when remediation is due.
What's in the full article
SecurEnds's full guide covers the operational detail this post intentionally leaves for the source:
- Detailed evaluation checklist for comparing managed services, software-only, and hybrid TPRM models
- Vendor selection questions focused on onboarding timelines, risk scoring logic, and workflow automation
- Feature-by-feature comparison points for integration with IAM, SIEM, GRC, and ERP environments
- Practical guidance on avoiding pricing-only decisions and weak scalability planning
👉 Read SecurEnds's guide on choosing a third-party risk management company →
Third-party risk management platforms: what IAM teams should evaluate?
Explore further
06/06/2026 4:13 am
TPRM selection is now an access-governance decision, not a procurement checkbox. The article is framed around vendor evaluation, but the real issue is who can reach enterprise systems through the third party relationship. Once vendor access is treated as part of the identity plane, integration with IAM, GRC, and monitoring becomes the control surface that matters. Practitioners should judge providers by how well they preserve trust boundaries across the vendor lifecycle.
A few things that frame the scale:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to the Ultimate Guide to NHIs.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to the Ultimate Guide to NHIs.
A question worth separating out:
Q: How do IAM and TPRM programmes work together?
A: IAM defines and controls access, while TPRM determines whether the external party receiving that access remains trustworthy over time. When the two are linked, vendor onboarding, monitoring, and offboarding become part of the same control chain. That gives organisations a clearer view of who has access and why it still exists.
👉 Read our full editorial: Third-party risk management company selection and IAM governance
