Notifications
Clear all
Topic starter
25/06/2026 2:54 pm
TL;DR: Manufacturers are managing access for an average of 20 vendors, yet only half maintain a comprehensive inventory, while 59% do not monitor third-party access at all, according to Imprivata. That combination turns vendor access into a supply chain control problem, not just a security hygiene issue.
NHIMG editorial — based on content published by Imprivata: Manufacturers Face Rising Supply Chain Risk from Unmonitored Vendor Access
By the numbers:
- 59% don’t monitor third-party access at all, while 55% of those using privileged access tools admit they don’t trust them to reduce risk.
- 42% of manufacturers experienced third-party related breaches in the past year, with 35% of those incidents stemming from excessive vendor privileges.
Questions worth separating out
Q: How should security teams govern vendor access in manufacturing environments?
A: Security teams should treat vendor access as a governed identity lifecycle, not a one-off exception.
Q: Why do third-party identities create so much risk in industrial environments?
A: Third-party identities create risk because they often bridge operational systems, shared workstations, and external support platforms with broader privileges than internal users would receive.
Q: What do organisations get wrong about privileged vendor access?
A: They often confuse approved access with controlled access.
Practitioner guidance
- Inventory every vendor and delegated identity Create a single inventory of third-party accounts, access paths, support IDs, and subcontractor relationships tied to each production system.
- Convert vendor access to task-scoped just-in-time access Replace standing vendor privileges with task-scoped access that expires automatically after the support window, maintenance job, or production intervention ends.
- Extend monitoring to fourth-party connectivity Track vendor-of-vendor access paths, especially where managed service providers or integrators connect into OT-adjacent environments.
What's in the full article
Imprivata's full article covers the operational detail this post intentionally leaves for the source:
- Vendor privileged access management recommendations for manufacturing and OT-adjacent environments.
- The survey context behind the 20-vendor average and the monitoring gaps reported by respondents.
- Practical workflow and automation ideas for reducing the 134-hour weekly investigation burden.
- The article's discussion of CMMC-aligned vendor risk management and continuous audit monitoring.
👉 Read Imprivata's analysis of vendor access risk in manufacturing supply chains →
Vendor access in manufacturing: what governance gap teams are missing?
Explore further
25/06/2026 4:08 pm
Vendor access is now a production-risk control, not a procurement detail. Manufacturing environments depend on external identities to keep systems running, but that dependence becomes dangerous when access is unmanaged or only partially inventoried. The article’s central finding is that identity governance has moved out of the IT perimeter and into the operating model of the factory. Practitioners should treat vendor access as a production continuity issue with security consequences, not the other way around.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, which shows how much of the exposure problem is behavioural as well as technical.
A question worth separating out:
Q: Who is accountable when a vendor’s access causes a breach?
A: Accountability should sit with the organisation that granted or failed to revoke the access, even when the initial connection came through a supplier or managed service provider. Contracts matter, but they do not replace entitlement ownership, session logging, and revocation discipline across the full delegation chain.
👉 Read our full editorial: Unmonitored vendor access is widening manufacturing supply chain risk
