Notifications
Clear all
Topic starter
06/06/2026 2:18 am
TL;DR: Third-party risk management now shapes security, compliance, and operational resilience because vendors routinely sit on trusted paths into enterprise systems, according to SecurEnds. That makes vendor access governance, continuous monitoring, and lifecycle oversight a core identity problem, not a periodic procurement exercise.
NHIMG editorial — based on content published by SecurEnds: Why third-party risk management is important
By the numbers:
- The SolarWinds attack (2020) impacted 18,000+ organizations through a compromised software update.
- The Equifax breach (2017) affected 147M individuals and underscored how delayed patching and poor risk visibility compound third-party exposure.
Questions worth separating out
Q: How should security teams govern vendor access across the full lifecycle?
A: Security teams should govern vendor access from onboarding through offboarding, with explicit ownership, expiry, review, and revocation steps.
Q: Why do third-party vendors create so much identity risk?
A: Third-party vendors create identity risk because they often receive trusted access into systems, data, and operational workflows that internal teams do not monitor as tightly as employee access.
Q: What do organisations get wrong about vendor compliance reviews?
A: Organisations often confuse passing a vendor review with being continuously safe.
Practitioner guidance
- Inventory every vendor identity and access path Build a central register of third-party users, service accounts, API keys, certificates, and delegated integrations.
- Offboard vendor access on business change, not annual review Revoke or narrow access when contracts end, services move, or support roles change.
- Segment vendor privileges by reachable systems Separate read, support, admin, and data-export permissions across vendor accounts.
What's in the full article
SecurEnds' full article covers the operational detail this post intentionally leaves for the source:
- Vendor-by-vendor examples of how external access creates compliance exposure and operational disruption
- Stepwise guidance for building a centralized vendor inventory and risk assessment process
- The article's own discussion of automation, continuous monitoring, and practical TPRM implementation
- Industry-specific examples that show how third-party risk plays out in financial services, healthcare, technology, government, and manufacturing
👉 Read SecurEnds' guide on why third-party risk management matters →
Third-party risk management: what IAM teams need to change?
Explore further
06/06/2026 3:53 am
Third-party risk management is identity governance by another name. Once a vendor has credentials, APIs, certificates, or administrative reach, the question is no longer simply procurement risk. It becomes who can act, for how long, with what scope, and under whose accountability. That is the same governance logic NHIMG applies to human, workload, and service identities. Practitioners should stop treating TPRM as adjacent to IAM and recognise it as an external extension of the same control model.
A few things that frame the scale:
- The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, which shows how quickly one weak identity can become a recurring exposure.
A question worth separating out:
Q: How can teams reduce the impact of a compromised supplier account?
A: Teams can reduce impact by segmenting vendor privileges, limiting data reach, and enforcing explicit approval paths for high-risk actions. If a supplier account is compromised, narrow access and separate duties make it harder for the attacker to move from one service into broader enterprise systems.
👉 Read our full editorial: Third-party risk management is now an identity governance issue
