Vendor Access Management
Vendor access management governs the identities, permissions, and access lifecycle of external parties — vendors, contractors, service providers — operating inside enterprise systems. In 2025, Gartner identified vendor access as one of the top three enterprise security risks. The average vendor-related breach costs $4.76 million and takes 277 days to detect. C1 automates the full vendor identity lifecycle to ensure vendors have exactly the access they need, for exactly as long as they need it, with a complete audit trail at every step.
Vendors and contractors need access to your systems. The question isn't whether to grant that access — it's whether you're governing it. Most organizations aren't. Vendor identities accumulate silently: accounts that were provisioned for a short-term project and never deprovisioned, permissions that expanded during an engagement and were never right-sized, credentials shared across vendor team members with no individual accountability. The result is a sprawling, unaudited access surface that attackers increasingly target. In 2024, 35.5% of data breaches involved a third-party. The average breach took 277 days to detect. Vendor access management is how organizations close this gap — not by restricting vendor access, but by making it governable.
What vendor access management covers#
Vendor access management (VAM) is a subset of identity governance and administration (IGA) focused on external parties. It spans four operational domains:
- Identity governance: Who are the vendors, what do they access, and who is the internal owner of each relationship
- Access control: What permissions each vendor holds and whether those permissions are appropriate for the current scope of work
- Lifecycle management: How vendor access changes from initial provisioning through active engagement to offboarding
- Audit and compliance: The documentation trail showing that vendor access is controlled, reviewed, and revoked in accordance with policy
Why vendor access is a distinct risk category#
Employees operate inside your security perimeter and are subject to your security controls. Vendors are external — you extend access to them without controlling their own security practices. A vendor employee who uses weak passwords, reuses credentials across systems, or shares login credentials with a colleague becomes your security problem the moment they connect to your systems. Three dynamics make vendor access particularly dangerous: Accumulation over time. Vendor relationships often start with a narrow scope that gradually expands. Each expansion may be legitimate, but permissions granted for earlier phases rarely get revoked. Over a multi-year relationship, a vendor can accumulate access far beyond what the current engagement requires. Orphaned accounts. When a vendor engagement ends, account offboarding is frequently incomplete. The vendor's main access may be revoked, but integration accounts, service accounts, API keys, or secondary user accounts persist. These orphaned accounts have valid credentials and no active owner monitoring them. Shared credentials. Vendors commonly share credentials across team members because it's operationally convenient. This makes individual accountability impossible and dramatically increases the blast radius if a credential is compromised — the attacker gains the access level of the shared account, and there's no signal distinguishing the attacker's activity from the vendor team's normal usage patterns.
The vendor identity lifecycle#
Onboarding#
Vendor onboarding should establish three things before any access is granted: identity verification (confirming who the vendor is and what role they're filling), scope definition (specifying which systems and data they require access to), and ownership assignment (naming the internal owner responsible for the relationship). Access should be granted at the minimum level required for the stated scope. Document the grant: what was provisioned, who approved it, when it was granted, and when it is scheduled for review or expiration.
Active management#
Vendor relationships are dynamic. Scope changes, personnel changes on the vendor side, and contract modifications all have access implications that need to be captured and acted on.
- Scope changes: When the vendor's engagement expands or contracts, permissions should be updated to match the new scope — not left at the prior level
- Personnel changes: When a vendor team member leaves or changes roles, their individual access should be updated or revoked even if the vendor relationship continues
- Periodic review: Access reviews at defined intervals (monthly or quarterly for high-risk vendors) catch permission drift that change-based triggers miss
Offboarding#
Offboarding is the most operationally difficult phase and the most consequential when it fails. Complete offboarding requires revoking every form of access the vendor holds: user accounts, service accounts, API keys, VPN credentials, and physical access where applicable. Automation is required at scale. Manual offboarding processes break down because they depend on institutional knowledge of everything a vendor was granted — knowledge that isn't reliably documented and is frequently incomplete. Automated offboarding systems with complete access inventories can execute comprehensive revocation in seconds. Manual processes can take days and still miss accounts.
Technical controls#
Least privilege#
Every vendor identity should hold the minimum permissions required for the current scope of work. Least privilege isn't a one-time configuration — it's an ongoing posture that requires access to be right-sized as scope changes and reclaimed when it's no longer needed.
Just-in-time (JIT) access#
Just-in-time access is the operational implementation of zero standing privilege. Rather than granting vendors persistent access to systems, JIT access grants temporary, time-limited access that activates when needed and revokes automatically when the session ends or the time window expires. A vendor who only has access when they're actively working in your systems is a vendor who can't be compromised via credential theft during the 277 days between when a breach occurs and when it's detected.
Multi-factor authentication#
MFA is a baseline requirement for all vendor access. All vendor access to your systems should require MFA regardless of what the vendor's own security policies require. Where possible, enforce MFA through your own identity infrastructure rather than relying on the vendor's.
Identity federation#
Identity federation connects your identity system to vendors' identity systems via standards like SAML or OIDC. Vendors authenticate through their own identity provider (IdP) using their existing credentials, while your policies govern what they can access. Federation eliminates local vendor accounts — removing the most common source of orphaned accounts — and gives you a single point of control for vendor identity.
Session monitoring#
Vendor sessions should be logged. For privileged vendor access, session recording provides an audit trail of exactly what actions were taken during an access event. This is required for forensic investigation when something goes wrong and provides accountability that deters misuse.
Compliance requirements for vendor access#
Every major compliance framework addresses vendor access management explicitly:
- HIPAA: Business Associate Agreements (BAAs) must establish controls for PHI access, and organizations must document access grants and maintain audit logs for all third-party access to covered systems
- GLBA: Financial institutions must maintain a vendor oversight program and ensure service providers implement appropriate safeguards for customer financial data
- SOC 2: The Availability and Confidentiality criteria require documented vendor access controls and evidence of periodic access reviews
- ISO 27001: Annex A.15 addresses supplier relationships, requiring documented policies for third-party access, security requirements in vendor agreements, and supplier monitoring
- NIST CSF 2.0: The Govern function adds supply chain risk management as a core category, raising the baseline expectation for vendor security governance across industries
How C1 manages vendor access#
- Unified Identity Graph: A real-time map of every vendor identity and every permission they hold across every connected system — the foundation for understanding your actual access surface
- Just-in-time access: Vendor access that activates on request and revokes automatically — no standing privileges for external parties
- Full lifecycle automation: Onboarding, access adjustments, periodic reviews, and offboarding without manual intervention at each step
- Self-service access requests: Vendors and internal owners can request, approve, and manage access through Slack, a web portal, or API — reducing friction while maintaining governance
- 300+ out-of-the-box connectors: Consistent policy enforcement across every system in your environment without custom integrations
- Automated access reviews: Scheduled reviews with owner notifications, approval workflows, and automatic revocation for accounts that fail review — all logged for compliance
For the full treatment of privileged vendor access controls, see the vendor privileged access guide. For broader context on managing all non-employee identities, see the non-employee access management guide and third-party access management guide.