Skip to main content

Unmanaged Third Party Identity Risk: The Hidden Threat

A practical guide to manage third party and non-employee identity risk

Person standing on mountain

The expanding identity and access management challenge

Cyber-attacks are on the rise and it's estimated that as many as 60% are identity-based, making strong identity and access management (IAM) an increasing priority for a robust cyber defense.

  • 48% increase in the ratio of non-employees, with one contractor being hired for every five employees
  • 90% of businesses indicate that they intend to maintain or increase their use of contractors
  • 59% experienced a data breach caused by one of their third parties in the past 12 months

Over the past five years, there have been dramatic changes in the way we work, with digital and remote working on the increase and a widening digital ecosystem. Organizations are increasingly reliant on third parties who access their environment, creating vulnerability.

Why this matters?

Identity access management for an organization's permanent workforce is not sufficient to deal with the risks associated with the extended third-party and non-employee workforce.

Digital account sprawl

  • On average, a digital identity is estimated to have anywhere between 5-15 different accounts associated with it.
  • The number of accounts is further proliferated for non-employees due to duplicate or temporary accounts.
  • This substantially increases the attack surface of the organization.

Over-privileged access

  • Third parties often require elevated system access beyond standard users.
  • This access is often untailored and excessive, with maximum privileges given.
  • It's this access that becomes a prime target for attackers, increasing the risk of significant breaches.

Obtaining visibility

You cannot effectively manage what you're unaware of, so gaining a clear understanding of your business's current identity position is crucial.

Questions you should ask

  1. Do you truly know your digital workforce?
  2. Do you know what access your third parties have in your organization?
  3. Do you have a broader third-party risk capability that can be leveraged?

Three foundational elements to manage third-party and non-employee identity risk

  1. Prioritize identifying third parties that pose the greatest risk.
  2. Establish a centralized, trusted source capable of integrating with existing security and identity tools.
  3. Choose the appropriate technology and treat it as a transformation.

Putting data at the core

Develop a data model that prioritizes cleansing data, starting with the highest-risk systems. Robust and accurate data is fundamental for strong identity access management controls.

Components of a data-led approach

  • Establishing a data model tailored for non-employee identities.
  • Implementing data cleansing in alignment with the newly established data model.

Embedding non-employee IAM governance

Identity and access management is an ongoing process that must be sustainable, adaptable, and resilient.

Success is based on strong ownership, clear accountability, and effective governance

  • Stakeholder engagement and relationships development.
  • Clarity and collaboration.
  • Process transformation.
  • Continuous improvement.

Characteristics of robust third-party IAM

  • Clear, documented, and verified understanding of all non-employees.
  • Limited use of shared credentials and centralized credential management.
  • Identified, inventoried, and tightly controlled highest privileged and sensitive access.
  • Defined roles and access rules tailored for non-employees.

How KPMG and SailPoint can help

KPMG and SailPoint can assist organizations in managing third-party identity risk through their expertise and technology solutions.

  • Our firm’s experience in IAM, TPRM, and cyber security.
  • SailPoint's market-leading Non-Employee Risk Management tool.

By combining their capabilities, KPMG and SailPoint can help organizations tackle complex IAM programs, saving time and money while advancing long-term ROI.

Unmanaged Third Party Identity Risk – The Hidden Threat to Your Business

A practical guide from KPMG and SailPoint to help you manage third-party and non-employee identity risk, strengthen your cyber defense, and protect your organization from the fastest-growing source of breaches.

Download report

Meet the team

Image of Hemal Shah
Hemal Shah
Principal, Advisory | Cyber Security Services, KPMG US
Read bio
Image of Mike Hatjiyannis
Mike Hatjiyannis
Advisory Managing Director, Line of Business, Products, KPMG US
Read bio
Image of Adam White
Adam White
Advisory Managing Director | Cyber Security Services, KPMG US
Read bio
Image of Hemal Shah
Hemal Shah
Principal, Advisory | Cyber Security Services, KPMG US
Read bio
Image of Mike Hatjiyannis
Mike Hatjiyannis
Advisory Managing Director, Line of Business, Products, KPMG US
Read bio
Image of Adam White
Adam White
Advisory Managing Director | Cyber Security Services, KPMG US
Read bio

Thank you

Thank you for providing your information. You can now download the e-book.
Download PDF

Unmanaged Third Party Identity Risk – The Hidden Threat to Your Business

A practical guide from KPMG and SailPoint to help you manage third-party and non-employee identity risk, strengthen your cyber defense, and protect your organization from the fastest-growing source of breaches.

Unlock this exclusive report to learn:

  • Why 60% of cyber-attacks are identity-based and 30% of breaches involve third parties
  • How to gain visibility and control over contractors, partners, and service providers
  • Actionable steps for risk-based identity governance and continuous improvement
  • How leading organizations use technology and process transformation to secure their extended workforce

By submitting, I consent to KPMG LLP and SailPoint Technologies, Inc. and its subsidiaries (“SailPoint”) contacting me about SailPoint products and services. This consent can be withdrawn at any time by clicking the unsubscribe link on any emails you receive or by emailing optout@sailpoint.com. SailPoint’s websites and communications are subject to SailPoint’s Privacy Statement.
All fields with an asterisk (*) are required.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's . Privacy Statement

An error occurred. Please contact customer support.

KPMG. Make the Difference.


Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. KPMG LLP does not provide legal services.

The information contained herein is not intended to be “written advice concerning one or more Federal tax matters” subject to the requirements of section 10.37(a)(2) of Treasury Department Circular 230.

© 2026 KPMG LLP, a Delaware limited liability partnership, and its subsidiaries are part of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

For more detail about the structure of the KPMG global organization please visit https://home.kpmg/governance.

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.
All fields with an asterisk (*) are required.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's . Privacy Statement

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Search now!

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Submit

Office locations

View locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Learn more

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.

Contact

Headline