Vendor access and zero trust: what IAM teams are missing

TL;DR: Zero trust programmes still leave a major opening when vendor and contractor access is not governed consistently, with only 36% of health IT leaders saying privileged access is applied enterprise-wide according to Imprivata and Ponemon Institute. The gap shows that continuous verification is incomplete without lifecycle control over third-party identities and access paths.

NHIMG editorial — based on content published by Imprivata: Zero Trust Efforts Fall Short When Vendor Access Is Ignored

By the numbers:

• Only 36% of health IT leaders say their organisations have a privileged access strategy applied consistently enterprise-wide.
• Imprivata says vendor privileged access management can improve IT efficiency by as much as 88% in some cases.

Questions worth separating out

Q: How should security teams govern vendor access in a zero trust programme?

A: They should treat vendor access as part of the core identity model, not as a separate remote support exception.

Q: Why do vendors and contractors weaken zero trust if they are not included in PAM?

A: Because zero trust depends on consistent policy enforcement across every identity that can reach sensitive systems.

Q: What breaks when third-party access is excluded from privileged access reviews?

A: Auditability breaks first, followed by entitlement accuracy and offboarding discipline.

Practitioner guidance

• Extend privileged access coverage to vendor identities Inventory all vendor, contractor, and fourth-party accounts that can reach production, admin consoles, or sensitive data.
• Apply task-scoped access expiry to external users Replace persistent vendor entitlements with access that expires when the task ends or the contract changes.
• Vault and rotate every third-party credential Store vendor credentials in a controlled vault and rotate them on a defined schedule, especially where remote support or shared admin access exists.

What's in the full article

Imprivata's full article covers the operational detail this post intentionally leaves for the source:

• How the vendor frames MFA, credential vaults, and least privilege as immediate steps for zero trust programmes.
• The vendor's perspective on replacing VPNs with remote access tools that enforce real-time identity verification and granular controls.
• The specific role of PAM and vendor privileged access management in compliance and IT efficiency claims.
• The source article's own recommendations for organisations trying to adopt zero trust without slowing operations.

👉 Read Imprivata's analysis of vendor access gaps in zero trust →

Vendor access and zero trust: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →