The state of third-party access security: Are we gaining ground or spinning wheels?

Our latest Imprivata thought leadership blog examines the continued challenges of third-party access management, plus best practices to mitigate risks.

“Not enough. And not fast enough.”

That’s the bottom-line progress assessment by Imprivata leaders on the current state of vendor privileged access risk management. Here’s a look at some key obstacles hindering organizations’ progress, and how they can overcome them.

A look back: Learning from landmark breaches

As organizations outsource more critical operations — IT support, software development, revenue cycle management, facilities, and managed security — third-party access has become one of the most common pathways into their environments. In fact, nearly half of organizations have experienced a breach or attack involving a third-party vendor. Two high-profile incidents illustrate the stakes and the patterns that repeat.

The 2024 Change Healthcare breach is a stark reminder that “basic” identity controls still fail in real life. At the start of many third-party incidents is something deceptively simple: an account that had legitimate access but lacked strong protections like multifactor authentication (MFA). When attackers obtain valid credentials (through phishing, password reuse, credential stuffing, or malware), missing or weak MFA turns a vendor account into a front door.

Go back further and the lesson is the same. The Target breach more than a decade ago revealed what security professionals already knew: an attacker doesn’t need to defeat the “main” organization head-on. They can compromise a smaller vendor, steal credentials through phishing, then pivot into a large enterprise through trusted connections. Target mattered not just because of the scale and brand recognition — it mattered because it demonstrated how supply chain access can turn a single compromised account into broad business disruption.

The real impact of third-party breaches goes well beyond the initial intrusion. There are direct costs — incident response, remediation, legal and regulatory exposure, downtime, and customer notifications. But there are also indirect and longer-term consequences: lost trust, churn, delayed projects, and months of effort spent re-evaluating vendor relationships and access models. In many cases, the damage isn’t just about what was stolen — it’s about the interruption of operations and the lingering question customers and partners ask afterward: “Can we still trust you with our data?”

Third-party access management: Challenges and issues

Third-party access management is hard for one reason above all: every organization depends on vendors, and those vendors genuinely need access to do their jobs. That dependence creates a constant tension between enabling easy access to critical work and controlling risk. Here are the challenges that consistently trip organizations up:

Too many vendors, too little visibility. Most environments aren’t dealing with a handful of partners — they’re dealing with dozens, and in sectors like healthcare and manufacturing, sometimes hundreds. Without a reliable inventory of who has access to what, security teams are forced to operate on assumptions. And if you can’t confidently answer “who has access?” it becomes nearly impossible to answer “who shouldn’t?”

Unclear ownership and inconsistent process. Third-party access often falls into a gray zone between IT, security, procurement, and the business units that “own” the vendor relationship. When no team clearly owns access governance end-to-end, controls become fragmented: one department requires strong authentication and named accounts, while another approves access through email threads or service desk tickets. That all adds up to expensive inefficiencies and risky gaps.

Overprivileged access and legacy solutions. Many organizations still extend employee-oriented access models to vendors — VPN access, broad network visibility, and static permissions that linger for months or years. Vendors may get far more access than needed because it’s faster to grant it than to precisely scope it, especially when the business is under pressure to restore systems or keep production moving.

Weak credential management. MFA is vital, but identity assurance goes beyond MFA. The hard questions include: Is this still the same person who was approved months ago? Do we know they still work for the vendor? Are they logging in from expected locations and devices? Are they behaving like they normally do? Attackers love vendor accounts because they blend into normal operations — and increasingly, they don’t even need passwords. Token theft and session hijacking allow an adversary to “become” a legitimate user without triggering traditional login defenses.

Operational pressure creates “approve now, fix later.” In high-stakes environments — such as healthcare, manufacturing, and financial services – downtime is intolerable. When a line is down or patient care is impacted, access requests come in urgently and at odd hours. That urgency can incentivize shortcuts: shared accounts, weak approvals, and access that never gets revoked because nobody circles back after the crisis.

Best practices: Mitigating third-party access risks

Better vendor risk management is built on a proactive strategy – not ad hoc reactions. The goal is to enable vendors to do necessary work quickly and easily, while reducing risk and mitigating damage if an account is compromised.

Start with an inventory and ownership model. Build and maintain a living catalog of third parties, what they access, why they need it, and who internally approves that access. Assign clear ownership: security sets guardrails, but the business owner validates legitimacy and timing. If you don’t know who “owns” a vendor relationship, access decisions will drift into the fastest path, not the safest one.

Use named identities; eliminate shared accounts. Each vendor user should have a unique identity tied to a real person — not “support@vendor.com” and not generic logins shared across a vendor team. Shared accounts destroy accountability, make monitoring nearly useless, and turn offboarding into guesswork.

Make strong authentication non-negotiable. Require phishing-resistant MFA where possible. Combine MFA with device posture checks, conditional access,and risk signals (location anomalies, impossible travel, suspicious device changes, unusual access patterns). And importantly, regularly conduct vendor security assessments to review their security protocols, as making assumptions can bring devastating outcomes.

Adopt least privilege vendor access controls. Here’s where fine-grained access controls come into play. Vendors should receive the minimum permissions required to get the work done, for the minimum time needed. Along with Zero Trust, Zero Standing Privilege (ZSP) provides a powerful approach: instead of persistent admin rights, privileges are granted just-in-time, approved, and automatically revoked.

Segment vendor access paths. Avoid dropping vendors onto the same broad access plane used by employees. Use the right tools: access solutions that are purpose-built, effective, andefficient. Tap the power of solutions featuring identity threat detection and response capabilities and adaptive authentication. In addition, isolate vendor workflows and restrict connectivity to only the systems required for the task.

Improve visibility and auditability. Security controls are only as good as your ability to see and investigate what happened. Log vendor access events, session activity where appropriate, and changes made during privileged work. Make sure audit monitoring data is accessible and useful during incident response — not buried across disconnected tools.

Operationalize reviews and offboarding. Third-party identity management is crucial. Vendor access should expire by default, with periodic re-approval. Validate employment and relationship status regularly. Automate deprovisioning triggers when contracts end or when a vendor user hasn’t accessed systems for a defined period.

Advanced breach tactics: Staying ahead of the curve

Even as organizations improve basic practices — by including controls such as MFA and least privilege — the threat landscape is accelerating. Attackers are using AI to scale and sharpen social engineering, making phishing and pretexting more convincing, contextual, and fast-moving. They can tailor lures to specific employees, departments, and vendor relationships with far less effort than before.

Meanwhile, credential attacks are evolving into identity session attacks: stealing tokens, hijacking sessions, and bypassing authentication flows entirely. The result is an environment where “the login looked normal” no longer means “the user was legitimate.” Add rapidly weaponized vulnerabilities and automated scanning, and the timeline from disclosure to exploitation continues to shrink.

That’s why third-party access management can’t be treated as a one-time project. It must be an ongoing process to ensure you stay ahead of the curve. That includes using the right tools, continuously verifying identity, limiting standing privilege, watching for abnormal behavior, and tightening access paths without bogging down critical operations. Vendors will remain essential. The goal is to make their access safe, observable, and resilient — so the next inevitable intrusion doesn’t become the next headline.

For additional perspective, watch the Imprivata Live discussion,“From Breach to Blueprint: Lessons Learned Two Years After Change.” Click here to learn more about third-party access management.