Notifications
Clear all
Topic starter
25/06/2026 2:54 pm
TL;DR: Manufacturers are facing rising supply chain risk as third-party access goes unmonitored, with Imprivata reporting that 42% experienced third-party related breaches in the past year and 35% of those stemmed from excessive vendor privileges. The security problem is not access volume alone, but weak inventory, poor monitoring, and overprivileged contractor pathways.
NHIMG editorial — based on content published by Imprivata: Manufacturers Face Rising Supply Chain Risk from Unmonitored Vendor Access
By the numbers:
- 42% of manufacturers experienced third-party related breaches in the past year, with 35% of those incidents stemming from excessive vendor privileges.
- 59% don’t monitor third-party access at all.
Questions worth separating out
Q: What breaks when vendor access is not inventoried in manufacturing environments?
A: When vendor access is not inventoried, least privilege, review, and revocation controls all lose their reference point.
Q: Why do third-party identities increase supply chain risk more than internal users do?
A: Third-party identities usually cross organisational boundaries, support tools, and remote maintenance channels, which makes entitlement scope harder to constrain and monitor.
Q: How do security teams know if vendor access controls are actually working?
A: They should be able to prove that every external identity is inventory-backed, time-bounded, and tied to a specific system and owner.
Practitioner guidance
- Establish a complete vendor identity inventory Create a live inventory of every third-party account, credential, remote support path, and privileged session tied to production or supply chain systems.
- Limit every contractor to one task and one system Apply least privilege so each external identity has a named business purpose, a narrow system boundary, and a defined expiry condition.
- Include fourth-party access in supplier reviews Ask vendors to disclose downstream support chains, subcontractors, and platform dependencies that can touch your environment.
What's in the full article
Imprivata's full article covers the operational detail this post intentionally leaves for the source:
- The survey framing behind the manufacturing access-risk figures and how respondents interpreted third-party exposure
- The vendor access control and credential management practices discussed for industrial and OT-adjacent environments
- The workflow automation, MFA, and just-in-time access guidance used to reduce manual investigation overhead
- The manufacturing context behind shared workstations, legacy OT networks, and fourth-party dependency risk
👉 Read Imprivata's analysis of manufacturing supply chain risk and vendor access →
Unmonitored vendor access in manufacturing: what IAM teams miss?
Explore further
25/06/2026 4:08 pm
Vendor access without lifecycle offboarding: This article exposes a familiar failure mode in industrial identity governance. Vendor identities are granted for a project, maintenance need, or production dependency, but the relationship outlives the access review that should have ended it. The breach pattern is not absence of access, but access that remains active after the business reason has moved on. Practitioners should treat every external identity as temporary unless a current control owner can prove otherwise.
A few things that frame the scale:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
- Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities, which underscores how quickly access assumptions break down at scale.
A question worth separating out:
Q: Who is accountable when a vendor’s access leads to a breach?
A: Accountability sits with the organisation that granted the access, because third-party risk is still governance risk. Procurement, security, OT operations, and system owners all have a role, but the business must define who owns approval, review, and revocation before the vendor ever connects to production systems.
👉 Read our full editorial: Manufacturing supply chain risk rises when vendor access goes unmonitored
