Notifications
Clear all
Topic starter
12/06/2026 9:21 pm
TL;DR: Manufacturers are expanding third-party access across IT and OT, but fragmented onboarding, manual reviews, and delayed offboarding are making vendor risk harder to quantify, according to Imprivata and IDC InfoBrief data. The core problem is not access volume alone, but the absence of continuous identity governance for external users.
NHIMG editorial — based on content published by Imprivata: third-party access and vendor risk in manufacturing
By the numbers:
- 80% of manufacturers report increased demand for identity and access management solutions.
- 32% struggle with managing contractors and third-party access.
Questions worth separating out
Q: How should security teams govern third-party access in manufacturing environments?
A: Security teams should govern third-party access as a lifecycle, not a one-time approval.
Q: Why do vendors create more IAM risk in OT-connected plants?
A: Vendors increase IAM risk in OT-connected plants because they often need broad, time-sensitive access to systems that were not designed for frequent identity changes.
Q: What breaks when third-party access is managed with spreadsheets?
A: Spreadsheets break down when third-party access scales beyond a handful of users.
Practitioner guidance
- Map every third-party identity to an owner and expiry Require a named business owner, technical approver, and removal date for each vendor account, then reconcile those records against active sessions and entitlements on a recurring basis.
- Separate maintenance access from standing vendor access Use task-scoped privileges for troubleshooting and patching, then revoke access immediately after the maintenance window closes so permissions do not drift into long-lived standing access.
- Centralise vendor identity evidence Keep approvals, entitlements, session logs, and offboarding records in one authoritative system so auditors can trace access from grant to removal without stitching together spreadsheets.
What's in the full article
Imprivata's full analysis covers the operational detail this post intentionally leaves for the source:
- IDC survey context on manufacturing identity priorities and contractor access pain points.
- How the vendor frames centralised risk modules for visibility across third-party sessions.
- Operational examples of automating onboarding, provisioning, and deprovisioning workflows.
- The manufacturing solutions angle for organisations that need implementation specifics rather than governance analysis.
👉 Read Imprivata's analysis of third-party access and vendor risk in manufacturing →
Vendor access in manufacturing: what IAM teams need to fix now?
Explore further
12/06/2026 11:21 pm
Third-party access is an identity lifecycle problem, not a vendor management problem: The article shows that manufacturers are relying on external access as a normal operating condition, but normality is exactly what makes stale entitlements dangerous. Onboarding, review, and offboarding are being stretched across disconnected systems and manual processes, which means the identity state outlives the business need. The practitioner conclusion is that vendor access must be governed as a lifecycle with the same discipline applied to employee identities.
A few things that frame the scale:
- The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirming a breach and 26% suspecting one.
A question worth separating out:
Q: Who is accountable when a vendor account remains active after the work ends?
A: Accountability sits with the business owner, the technical approver, and the identity team that failed to remove the access. In regulated or safety-sensitive environments, that shared accountability must be explicit, because lingering access is not just an administrative miss. It is a governance failure that can affect compliance, audit evidence, and operational resilience.
👉 Read our full editorial: Third-party access in manufacturing is exposing identity control gaps
