Subscribe to the Non-Human & AI Identity Journal
Home FAQ Governance, Ownership & Risk How should security teams govern third-party access under…
Governance, Ownership & Risk

How should security teams govern third-party access under DORA?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 11, 2026 Domain: Governance, Ownership & Risk

They should treat third-party access as a regulated identity path, not an exception. That means explicit entitlement scope, named internal ownership, session logging, rapid revocation, and evidence that access remains justified throughout the vendor relationship. If an external user can reach systems without a clear owner and revocation trail, the control is not DORA-ready.

Why This Matters for Security Teams

DORA changes third-party access from a convenience problem into a resilience and evidence problem. If vendors can reach production systems, identities, sessions, and secrets must be governed with the same discipline as internal privileged access. The real issue is not whether access exists, but whether it is scoped, monitored, and revocable on demand. NHI Management Group’s Ultimate Guide to NHIs — Regulatory and Audit Perspectives frames this as a lifecycle control, not a one-time approval.

This matters because third-party pathways often hide the largest exposure. NHIMG research shows that 92% of organisations expose NHIs to third parties, while only 5.7% have full visibility into their service accounts. That visibility gap makes it difficult to prove who had access, why it was granted, and whether it was still justified during an incident. DORA expects firms to demonstrate control over critical ICT dependencies, not simply assert that a vendor contract exists. The operational bar is closer to continuous oversight than periodic review, and that shifts security from static approval to evidence-backed governance. In practice, many security teams encounter third-party overreach only after an audit request or incident has already exposed the missing revocation trail.

How It Works in Practice

Effective DORA-aligned governance starts by treating each third-party user, integration, or support account as a distinct identity path with a named internal owner. That owner is accountable for the business purpose, entitlement scope, approval basis, and retirement date. Access should be issued for the minimum necessary time, with session logging and command-level evidence where the system supports it. For machine-to-machine access, security teams should prefer workload identity and short-lived credentials over shared secrets, because long-lived tokens make revocation slow and forensic attribution weak.

Practitioners generally pair this with three controls: just-in-time provisioning, continuous review, and rapid offboarding. JIT reduces standing access by issuing credentials only when a vendor has an active task. Continuous review checks whether the access still matches the stated business need and the vendor’s contractual scope. Rapid offboarding ensures access is removed when the task ends, the contract changes, or risk conditions shift. Standards such as the NIST Cybersecurity Framework 2.0 and NIST SP 800-53 Rev 5 Security and Privacy Controls remain useful for mapping control ownership, evidence collection, and privileged access expectations.

NHIMG’s Ultimate Guide to NHIs highlights why this matters operationally: 71% of NHIs are not rotated within recommended time frames, and only 20% of organisations have formal offboarding processes for API keys. Those gaps become audit findings fast when third-party access is involved. These controls tend to break down when vendors need emergency support across multiple environments because the business often grants broad, persistent access to preserve uptime.

Common Variations and Edge Cases

Tighter third-party control often increases operational overhead, requiring organisations to balance resilience against vendor responsiveness and incident recovery time. That tradeoff is real, especially for critical service providers, but current guidance suggests the answer is not to relax controls. It is to pre-authorise narrow emergency paths, define break-glass ownership, and require post-use review with evidence. DORA does not eliminate urgency; it requires that urgency be governed.

There is no universal standard for every access pattern yet, particularly for managed services, outsourced SOC functions, and ephemeral API integrations. In those cases, best practice is evolving toward risk-tiered access models: stricter logging and shorter TTLs for high-impact systems, and more traditional review cycles for lower-risk environments. The EU Digital Operational Resilience Act (DORA) is the regulatory anchor, while the OWASP Non-Human Identity Top 10 helps security teams translate that requirement into identity and secrets hygiene. Where vendors insist on shared accounts or static credentials, the risk is not only over-privilege but also the inability to prove revocation, which weakens both resilience and auditability.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST AI RMF set the technical controls, and DORA define the regulatory obligations.

FrameworkControl / ReferenceRelevance
DORADirectly governs third-party ICT risk, access oversight, and evidence expectations.
OWASP Non-Human Identity Top 10NHI-03Third-party access often depends on weak rotation and static secrets.
NIST CSF 2.0PR.AC-4Supports least-privilege, controlled access, and entitlement review.
NIST Zero Trust (SP 800-207)SP 800-207DORA-ready access benefits from continuous verification and no implicit trust.
NIST AI RMFUseful for accountability, governance, and risk monitoring of autonomous access paths.

Assign ownership, monitor residual risk, and document decisions for every third-party identity path.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org