Because third parties often need short, specific access to sensitive systems, but operational pressure makes it tempting to reuse staff accounts or leave permissions open too long. That expands audit risk and increases the chance that one maintenance session turns into broad, unintended exposure across systems.
Why This Matters for Security Teams
Contractors and vendors are not just “extra users.” In factories, they often need fast access to production systems, OT-adjacent applications, maintenance portals, remote support tools, and shared service accounts. That creates a governance problem because access is usually granted under pressure, then left in place because operations cannot tolerate delay. The result is a widening gap between what is approved on paper and what is actually usable on the plant floor.
This is why NHI governance guidance in Top 10 NHI Issues and the OWASP Non-Human Identity Top 10 keeps coming back to over-privilege, weak lifecycle control, and poor visibility. For factories, the risk is not only data exposure. A vendor account with broad standing access can touch production scheduling, maintenance interfaces, or safety-relevant systems far beyond the original work order. In the Regulatory and Audit Perspectives guidance, NHIMG consistently frames this as a lifecycle failure, not a one-time provisioning issue. In practice, many security teams encounter the problem only after a maintenance window has already created lingering access, rather than through intentional access expiry.
How It Works in Practice
The governance issue starts with how third-party work actually happens. A vendor may need access for a machine rebuild, firmware update, calibration, or outage support, but the request is often routed through operations, not identity teams. That means the access path tends to be temporary in intent but permanent in implementation unless there is disciplined joiner-mover-leaver handling, time-boxed approval, and revocation tied to the work order.
Best practice is to treat vendor access as a lifecycle with enforced start and end points, not as an exception to normal IAM. In factory environments, that usually means:
- issuing access only for a defined task, system, and time window;
- separating vendor identities from employee identities instead of sharing accounts;
- requiring MFA and strong approval gates for privileged sessions;
- logging every session into the plant system, especially remote support activity;
- reviewing entitlements after each engagement, not just at annual recertification.
The NIST Cybersecurity Framework 2.0 reinforces the need for inventory, access control, and continuous oversight, while the Lifecycle Processes for Managing NHIs guidance emphasizes that credentials must be created, scoped, rotated, and retired as part of the same control loop. Where plants also rely on shared jump hosts or remote maintenance tooling, the best control is often session-based access with just-in-time elevation rather than persistent admin rights. These controls tend to break down when vendors service multiple plants through legacy remote access channels because asset owners cannot reliably tie each login to a single work order.
Common Variations and Edge Cases
Tighter vendor access often increases operational overhead, requiring organisations to balance production uptime against stronger control. That tradeoff is especially visible in plants with 24/7 operations, unionized maintenance workflows, or long-tail equipment suppliers that still depend on legacy protocols and shared tooling.
There is no universal standard for this yet, but current guidance suggests the strongest patterns are time-bounded access, explicit sponsor ownership, and rapid offboarding after completion. The challenge is that some vendors only support equipment through generic service accounts or emergency bypass procedures. In those cases, the control objective shifts from eliminating shared access entirely to reducing its blast radius through segmentation, session recording, and narrowly scoped approval. NHIMG’s Key Challenges and Risks section and Ultimate Guide to NHIs both reflect the same practical reality: governance fails when access is easier to keep than to retire. Security teams should also distinguish between low-risk informational access and privileged operational access, because the latter can create a production outage if revoked without coordination. That distinction matters most when third parties have standing connectivity into control environments, where approval debt quickly becomes access sprawl.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Vendor accounts often become over-privileged shared NHIs. |
| NIST CSF 2.0 | PR.AC-4 | Third-party access governance is an access control and review problem. |
| CSA MAESTRO | Third-party automation and remote support need lifecycle governance. |
Bind vendor access to task, time, and sponsor approval, then monitor and revoke it automatically.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 25, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
