Notifications
Clear all
Topic starter
12/06/2026 9:03 pm
TL;DR: Vendor management breaks down when organisations treat supplier relationships as a process problem instead of a lifecycle and access problem, according to Zluri. The real governance gap is not communication, but controlling onboarding, access revocation, and offboarding consistently across external identities and their privileges.
NHIMG editorial — based on content published by Zluri: Vendor Management Top 8 Vendor Management Skills & How to Develop Them
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
Questions worth separating out
Q: How should organisations govern vendor access as part of identity management?
A: Treat vendor access as a lifecycle-controlled identity, not as a loose operational convenience.
Q: Why do vendor relationships create identity governance risk?
A: Vendor relationships create risk because they often generate persistent access that survives the commercial relationship.
Q: What breaks when vendor offboarding is handled informally?
A: Informal offboarding usually leaves behind active accounts, shared secrets, and unreviewed SaaS entitlements.
Practitioner guidance
- Map every vendor relationship to an identity owner Assign a named business owner and an IAM owner for each external vendor account, seat, token, or delegated connection.
- Inventory vendor-issued access as NHI assets Record SaaS admin seats, API keys, shared logins, certificates, and support accounts in the same inventory used for machine identities.
- Trigger revocation on contract and relationship changes Tie offboarding workflows to contract end dates, scope changes, and vendor role changes.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step vendor management skill development guidance for procurement and relationship teams
- Practical examples of using automation for purchase orders, invoices, and internal requisition workflows
- How Zluri says its platform handles vendor access, deprovisioning, and offboarding workflow
- Business-facing guidance on building communication, networking, and negotiation capability
👉 Read Zluri's article on vendor management skills and lifecycle control →
Vendor management and offboarding: what IAM teams are missing?
Explore further
12/06/2026 10:52 pm
Vendor management becomes an identity lifecycle problem the moment access is created. The article frames vendor management as relationship skill, but the governance risk sits in the access that relationship creates. Once a supplier gets credentials, seats, or delegated permissions, the control question changes from communication quality to lifecycle discipline. Practitioners should read this as a reminder that external access is never just commercial administration.
A few things that frame the scale:
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who should be accountable for third-party access removal?
A: Accountability should be shared between the business owner who approved the relationship and the identity team that enforces revocation. Procurement can confirm the contract status, but only the access owners can ensure credentials and entitlements are actually removed. Without that split, offboarding becomes a paperwork exercise instead of a control.
👉 Read our full editorial: Vendor management skills expose the real vendor lifecycle gap
