Because the regulation holds the institution accountable for delegated access even when a vendor or partner operates the system. If access survives the business relationship, or if offboarding is not formalised, the organisation keeps the risk without the ability to prove control.
Why This Matters for Security Teams
Third-party access paths are risky because they extend trusted access outside the institution’s direct operational control while leaving the institution accountable for the outcome. Under NYDFS expectations, that means a vendor connection is not a compliance shortcut. It is still part of the regulated control environment, especially when credentials, API keys, service accounts, or shared admin paths remain active after the contract changes. That is why offboarding, entitlement review, and evidence of revocation matter as much as the original approval.
The practical problem is visibility. The Ultimate Guide to NHIs — Regulatory and Audit Perspectives notes that many organisations still lack formal offboarding and revocation discipline for non-human access, which makes it difficult to prove control after a vendor relationship ends. NYDFS risk also compounds when third parties rely on long-lived secrets or unmanaged service accounts, a pattern discussed in the OWASP Non-Human Identity Top 10. In practice, many security teams only discover third-party exposure during contract termination, incident response, or audit evidence collection, rather than through intentional access lifecycle management.
At NHIMG, the core issue is not simply that vendors are connected. It is that third-party access often outlives the business need, and once that happens, compliance becomes a question of whether the institution can demonstrate timely control rather than whether the access was originally justified.
How It Works in Practice
A defensible third-party access program starts by treating every vendor path as a distinct identity lifecycle, not just a contract term. That means inventorying human and non-human access, mapping each credential or account to a business owner, and defining the exact condition under which it must be revoked. For NYDFS purposes, the institution should be able to show who approved access, what it can do, when it was last used, and how it is removed when the relationship changes.
In operational terms, the strongest pattern is short-lived access tied to explicit purpose. Current guidance suggests moving away from shared, standing credentials and toward just-in-time access, ephemeral secrets, and workload identity where possible. That is especially important for service-to-service or integrator accounts, because the risk is not merely overprivilege. It is that a vendor path can remain valid long after the oversight relationship has ended.
- Use separate identities for each vendor, system, and use case.
- Prefer time-bound access with automatic expiration over permanent credentials.
- Require evidence of deprovisioning, not just a ticket stating that access was removed.
- Review third-party privilege during onboarding, renewal, and termination.
- Log access and revocation actions so audit teams can reconstruct the full lifecycle.
The Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs is explicit that offboarding is a control point, not an administrative afterthought, and the 52 NHI Breaches Analysis shows how often exposed identities persist into incident conditions. These controls tend to break down when multiple vendors share the same integration account because attribution, revocation, and audit evidence become inseparable.
Common Variations and Edge Cases
Tighter third-party access controls often increase operational overhead, requiring organisations to balance auditability against integration speed and vendor convenience. That tradeoff becomes sharper in legacy environments, where shared accounts, flat network paths, and brittle application dependencies make clean offboarding difficult. Best practice is evolving, but there is no universal standard for every implementation detail yet.
One common edge case is a vendor that needs intermittent administrative access. In that scenario, standing privileges are hard to justify, but fully manual approval flows can create delays that business teams try to bypass. Another is a managed service provider that administers systems on behalf of multiple clients. If identity separation is weak, access evidence may satisfy a ticket review while still failing to prove that the institution can independently revoke access at the moment the relationship ends.
Third-party API access is another frequent blind spot. Secrets stored in CI/CD, scripts, or configuration files may remain valid even after the vendor is removed from the contractual scope. That is why current practice increasingly pairs contract controls with technical controls such as secret rotation, token TTL enforcement, and centralised logging. The broader NHI risk picture described in the Ultimate Guide to NHIs and the Top 10 NHI Issues shows why compliance problems often emerge first as access sprawl and only later as a formal audit finding.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Third-party paths hinge on controlled access and identity proofing. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Standing secrets and weak revocation are core third-party NHI risks. |
| NIST AI RMF | AI risk governance fits delegated access accountability and oversight. |
Assign clear accountability, monitor external dependencies, and document control decisions for each vendor path.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
