Notifications
Clear all
Topic starter
06/06/2026 2:33 am
TL;DR: Third-party risk management only works when vendor inventory, tiering, assessment, monitoring, and offboarding operate as one governance loop, according to SecurEnds. Without that structure, organisations keep access open after relationships change, turning supplier convenience into persistent exposure for sensitive systems and data.
NHIMG editorial — based on content published by SecurEnds: What are the key elements of third-party risk management?
By the numbers:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
Questions worth separating out
Q: How should security teams build a third-party risk programme that actually reduces identity risk?
A: Start with a living inventory of every vendor that can touch systems, data, or credentials.
Q: Why do third-party relationships create persistent IAM and NHI risk?
A: Because access often outlives the business relationship that justified it.
Q: What breaks when vendor offboarding is not verified?
A: Orphaned access survives.
Practitioner guidance
- Map every vendor to a living access record Tie each third party to systems, data types, owner, approval date, and revocation trigger so the inventory can support real governance decisions.
- Tier vendors by blast radius, not contract value Classify suppliers by data sensitivity, system criticality, and operational dependency, then align review frequency and mitigation depth to the tier.
- Verify offboarding before closing the relationship Require evidence that access was removed, secrets were revoked, and data return or destruction was completed before the vendor is marked closed.
What's in the full article
SecurEnds' full article covers the operational detail this post intentionally leaves for the source:
- The step-by-step breakdown of vendor identification and inventory management workflows for a live TPRM programme.
- The specific assessment checkpoints used to classify vendors by risk tier and review cadence.
- The offboarding and access removal procedures that translate policy into verified identity revocation.
- The control alignment discussion for NIST, ISO 27001, and SOC 2 in vendor governance.
👉 Read SecurEnds' full guide to the key elements of third-party risk management →
Third-party risk management: what IAM teams miss in vendor offboarding?
Explore further
06/06/2026 4:18 am
Third-party risk management fails when organisations treat vendor access as a procurement problem instead of an identity problem. The control gap is not just incomplete questionnaires or missed reviews. It is the absence of a lifecycle view that follows external access from onboarding to offboarding, which means accountability disappears before the relationship does. Practitioners should treat every vendor entitlement as governed identity, not administrative overhead.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: Who is accountable for third-party access when a vendor relationship ends?
A: Accountability should sit with the business owner of the relationship, but IAM, PAM, and security teams must own the technical revocation and validation steps. If no one is responsible for proving access removal, the organisation has governance in name only.
👉 Read our full editorial: Third-party risk management breaks when vendor access outlives oversight
