The prime contractor remains accountable for proving that delegated access was removed or reduced at the right time, even when the access sat with a third party. In CMMC terms, accountability follows the organisation that claims compliance, not the external party that received the access.
Why This Matters for Security Teams
When subcontractor access stays open after a project ends, the risk is not just residual access. It is unresolved accountability. The prime contractor is still the entity that must prove access was removed, reduced, or time-bound at the right moment. That expectation mirrors the broader NHI problem described in the Ultimate Guide to NHIs, where ownership and lifecycle control matter more than who physically held the credential.
This is also where third-party access reviews often fail in practice. Teams may assume the subcontractor’s internal offboarding process is enough, but audit evidence usually needs to show the prime’s approval, timing, and revocation trail. OWASP’s OWASP Non-Human Identity Top 10 treats unmanaged identity lifecycle as a core exposure because stale access is still valid access, whether it belongs to a human, service account, or delegated workload.
In practice, many security teams encounter this only after a contract is closed and a later review reveals the access was never formally reduced.
How It Works in Practice
Accountability should be built around the party that authorises access, sets the scope, and must answer for the control failure. For subcontractor arrangements, that usually means the prime contractor defines the access model, enforces expiry dates, and keeps revocation evidence. The subcontractor may operate the access, but the prime owns the compliance outcome.
A practical model is to treat delegated access like any other non-human identity lifecycle. Use short-lived entitlements, project-bound approvals, and documented offboarding triggers. Where possible, issue access through centrally managed federation or just-in-time provisioning rather than long-lived shared accounts. That makes the prime contractor capable of proving when access began, why it existed, and when it ended. The same principle is reinforced in NHIMG research on identity control gaps, including the 52 NHI Breaches Analysis, which shows how lifecycle failures recur when ownership is ambiguous.
For control design, security teams should require:
- Named business owner and technical owner for every delegated account or token
- Expiry dates aligned to contract end dates, not renewal assumptions
- Revocation evidence captured at project closeout
- Periodic access recertification for any access that remains active past milestone completion
- Separate treatment for subcontractor admin access, API access, and automation secrets
This is where CISA Secure by Design guidance is useful because it pushes accountability into the design of the control, rather than into after-the-fact cleanup. These controls tend to break down when subcontractors are given standing access through shared accounts or when offboarding depends on informal email notices instead of system-enforced expiry.
Common Variations and Edge Cases
Tighter subcontractor access control often increases administrative overhead, requiring organisations to balance auditability against operational speed. That tradeoff is real, especially when projects are short, partners are numerous, or access is needed across multiple environments.
There is no universal standard for this yet, but current guidance suggests the prime contractor should retain evidence even when the subcontractor performs the actual deprovisioning. If the subcontractor controls the identity system, the prime still needs contractual clauses, logging access, and proof of closure. If the subcontractor uses its own credentials inside the prime environment, then the prime should still treat those credentials as in-scope NHIs and validate removal at project end.
Edge cases appear when access is embedded in automation, vendor support tunnels, or emergency break-glass paths. Those are often missed because they do not look like normal user access. The safest pattern is to document every exception, set a different expiry rule for each, and review it under the same owner-reconciliation process used for Key Challenges and Risks. In CMMC-aligned environments, the organisation claiming compliance should assume that any unmanaged third-party access will be treated as its own deficiency until it can prove otherwise.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Delegated access left open is a lifecycle and ownership failure for NHIs. |
| NIST CSF 2.0 | PR.AC-1 | Third-party access must be provisioned, reviewed, and removed under access control governance. |
| NIST CSF 2.0 | GV.OC-2 | Accountability for outsourced access belongs to the organisation claiming compliance. |
Assign a named owner and expiry for every subcontractor credential, then revoke it at project closeout.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
