error
Subscriptions are not available for this site while you are logged into your current account.
close
Skip to main content
Submit RFP

      In today’s digital-first environment, organisations face a growing threat from unmanaged third party identities. With cyber-attacks increasingly targeting identity vulnerabilities approximately 60% of breaches are identity-based and 30% involve third parties. Robust identity and access management (IAM) and third party risk management (TPRM) frameworks are essential.

      Today’s organisations rely on a growing ecosystem of third parties, contractors, consultants, vendors and service providers, many who require access to internal systems and sensitive data.

      Yet, these non-employee identities often fall outside the scope of traditional access management, creating blind spots in security and compliance. Without clear ownership, controls and visibility, third party access can lead to serious vulnerabilities.

      KPMG and SailPoint’s guide outlines practical steps to bring this extended workforce under control, using a data-led, risk-based approach aligned to your wider identity and cybersecurity strategy.

      The expanding risk landscape

      The modern workforce includes contractors, freelancers, consultants, and outsourced service providers. These non-employees often require privileged access, yet lack the governance applied to internal staff. This creates significant exposure across identity lifecycle management, supply chain risk management, and vendor risk management domains.

      • Digital account sprawl

        and excessive access privileges.

      • Credential misuse

        due to shared or static credentials.

      • Subcontractor risk

        from unmanaged leaver processes.

      • Increased attack surface

        from persistent access.

      Building visibility and
      control

      Effective third party identity risk management begins with visibility. Organisations must profile all identities—internal and external—and understand their access levels. This includes surfacing all access to systems and platforms.

      Questions to ask:

      • Do you know what access your third parties have?
      • Is there a centralised identity repository?
      • Do you have full visibility of those accessing your critical applications and platforms?

      Taking action with technology

      KPMG advocates a transformation-led approach using identity management solutions like SailPoint’s Non-Employee Risk Management tool. This enables automated provisioning, verification, and deprovisioning, aligned with IAM lifecycle management best practices.

      Foundational steps:

      • Prioritise third parties based on access risk
      • Implement identity and access governance across all personas
      • Use IAM security tools to enforce multi-factor authentication and access reviews

      Data-driven identity governance

      A robust data model is critical. Organisations must cleanse and align identity data, starting with high-risk systems. This underpins broader effective identity access management strategies and enables dynamic controls tailored to each third-party profile.

      Key components:

      • Mandatory attributes for identity creation
      • Automated triggers for joiners, movers and leavers
      • Centralised monitoring of access across platforms

      Embedding IAM into an extended operating model

      IAM is not a one-off project—it’s a continuous process. Success depends on embedding IAM solutions into broader operating models, engaging stakeholders across HR, IT, risk, and external partners. Clear accountability and decentralised governance are vital for sustainable identity access management.

      Key focus areas:

      • Embed IAM controls and vetting into broader TPRM capabilities
      • Establish delegated administration with suppliers whilst maintaining central visibility
      • Continuously review the different identities and persona’s that require access and tailor controls

      KPMG and SailPoint, better together

      KPMG’s approach combines process transformation with leading technology enablement, helping organisations deploy identity and access management tools that deliver measurable outcomes. As SailPoint’s EMEA Partner of the Year, KPMG offers deep expertise in IAM lifecycle management and third party risk governance.

      Together, we tackle and accelerate the delivery of highly complex IAM programs ultimately meeting our client‘s business needs today and preparing them for the future, saving time and money, and advancing long-term ROI.

      Our advisory insights

      Something went wrong

      Oops!! Something went wrong, please try again

      Get in touch

      Read enough? Get in touch with our team and find out why organisations across the UK trust us to make the difference.

      Contact us
      Person smiling whilst using a mobile phone