They fail because the organisation cannot govern what it cannot see. If vendors, accounts, integrations, and data access are spread across teams and systems, risk scoring becomes unreliable and offboarding is easily missed. Incomplete inventory turns vendor governance into an assumption rather than a control.
Why This Matters for Security Teams
Third-party risk programs usually assume a stable vendor list, a clean ownership model, and a reliable path to remove access when a relationship ends. In reality, incomplete inventory breaks all three. If procurement, IT, security, and engineering each track different sets of vendors, accounts, API keys, service connections, and data-sharing agreements, then scoring becomes subjective and offboarding becomes partial. That is exactly how dormant access persists long after a contract changes. NHI governance guidance in the Top 10 NHI Issues and NIST Cybersecurity Framework 2.0 both point to the same operational reality: asset visibility is a prerequisite for control, not a reporting detail.
This matters even more because third-party access is often indirect. Vendors may not hold a named user account at all; they may operate through service principals, API tokens, CI/CD credentials, or embedded integrations that sit outside the standard vendor register. Without inventory that captures those NHI relationships, due diligence can look complete while actual exposure remains ungoverned. The risk is not just missed review cycles. It is missed enforcement of JIT access, missing revocation, and inaccurate assumptions about who can reach sensitive systems. The OWASP Non-Human Identity Top 10 treats this as a core identity problem, not a paperwork issue. In practice, many security teams encounter vendor access drift only after an incident forces a cross-system reconciliation, rather than through intentional governance.
How It Works in Practice
Effective third-party risk management starts with an inventory that is broad enough to capture the full access surface, not just the contract. That means recording the vendor, the business owner, the systems touched, the NHI assets involved, the data classes exposed, the credential type in use, and the review or revocation owner. Current guidance suggests treating secrets, service accounts, OAuth grants, API tokens, and machine-to-machine links as first-class third-party artefacts. The NHI Lifecycle Management Guide and Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs both emphasize that lifecycle control depends on knowing when identity is created, used, rotated, and retired.
Practically, that means risk teams should:
- join procurement records with IAM, cloud, SaaS, and CI/CD inventories so vendors are tied to actual access paths;
- map each third-party NHI to an owner, a purpose, a data scope, and a revocation trigger;
- require JIT or time-bound access where a vendor needs operational entry rather than standing privilege;
- use periodic attestation to verify that dormant integrations, forgotten tokens, and inherited permissions have been removed;
- feed findings into the broader control set in NIST Cybersecurity Framework 2.0 and the OWASP Non-Human Identity Top 10.
Where this becomes most reliable is when inventory is tied to enforcement, not spreadsheets. If an unregistered integration cannot be issued credentials, cannot be approved for data access, and cannot pass review without an accountable owner, the framework becomes operational. These controls tend to break down in federated enterprises with shadow IT, regional procurement, and unmanaged machine-to-machine integrations because no single team sees the full vendor-to-identity chain.
Common Variations and Edge Cases
Tighter inventory and access reconciliation often increases onboarding effort and review overhead, so organisations have to balance speed against control. That tradeoff becomes sharper for cloud marketplaces, SaaS-to-SaaS automations, and embedded partner tooling, where the “vendor” may be a platform, a subprocessor, or a service account created by a business team without security involvement. Best practice is evolving here, and there is no universal standard for how much indirect access should be captured in a single register, but the direction is clear: if a third party can influence systems or data, it belongs in scope.
One common edge case is ephemeral access. If a vendor uses JIT credentials for a narrowly bounded task, the inventory must record the authority to issue that access, the expected TTL, and the revocation path, not just the existence of the vendor relationship. Another is inherited access through acquisitions or shared infrastructure, where the risk is hidden behind platform teams and legacy accounts. The 52 NHI breaches Report and 52 NHI Breaches Analysis show why this matters: gaps in identity governance are rarely isolated, and incomplete visibility tends to turn one missed vendor into multiple missed controls. In practice, third-party risk frameworks fail fastest where the organisation treats access reviews as a vendor exercise instead of an identity exercise.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Incomplete inventory is an identity discovery failure at the root of NHI governance. |
| NIST CSF 2.0 | ID.AM-1 | Asset management depends on a complete inventory of vendors and connected identities. |
| NIST AI RMF | GOVERN | Governance fails when third-party AI and automation are not inventoried and assigned accountability. |
Assign ownership and oversight for every third-party automated identity or workflow.
Related resources from NHI Mgmt Group
- How should security teams start a third party risk management programme from scratch?
- Who should own third party risk management across security, legal, and procurement?
- How can security teams know whether third-party risk management is working?
- Why do third-party relationships create ongoing identity risk?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
