Introduction
Cybersecurity has long been treated as a technical discipline, siloed from the business processes that drive procurement decisions. Yet the identity governance and administration (IGA) professionals responsible for managing access and compliance are discovering that cyber-procurement integration is no longer optional—it’s essential to building secure supply chains.
SailPoint’s Linda Siegert, a key voice in identity governance strategy, highlights a critical nexus: procurement teams decide which vendors get access to enterprise systems, which partners can provision users, and which contractors get infrastructure access. Without coordination between security and procurement, organisations risk onboarding vendors with inadequate identity security practices—or worse, creating orphaned identities that persist long after vendor relationships end.
The Problem: Procurement and Identity Governance Are Operating Independently
In many organisations, procurement and identity governance operate as separate functions. Procurement focuses on cost, SLAs, and contract terms. IGA focuses on access control and compliance. This fragmentation creates dangerous gaps.
When a new vendor is onboarded, procurement negotiates terms. But the vendor’s employees often gain access to systems through ad-hoc processes—sometimes manual, sometimes through uncontrolled integration APIs. Identity governance is asked to audit the access weeks or months later, after the damage could already be done. Conversely, IGA teams may impose identity governance requirements on vendors, but procurement never negotiates them into the contract, leaving enforcement to handshakes.
The result: identity risk extends beyond your organisation into your supply chain. A compromised vendor identity becomes a backdoor into your systems. An unmonitored contractor account becomes a compliance liability. An integrated partner API that syncs identities without proper governance becomes a vector for lateral movement.
Key Points: Bridging Cyber and Procurement
1. Identity Governance Requirements in Vendor Contracts
Procurement teams must encode identity governance and administration requirements into vendor agreements. This includes minimum MFA standards for vendor employees accessing your systems, mandatory identity audit rights, and clear termination procedures that include identity deprovisioning. Without contractual teeth, IGA teams cannot enforce these requirements.
2. Pre-Boarding Identity Security Assessments
Before a vendor is activated, identity governance teams should assess the vendor’s own identity maturity. Do they have centralized identity management? Can they provide attestation of user terminations? Can they integrate securely with your IGA platform? These questions must be answered before procurement signs the contract, not after.
3. Continuous Monitoring of Vendor Identities
Once activated, vendor identities should be treated as third-party entities within your identity governance framework. This means continuous monitoring for anomalous access patterns, regular entitlement reviews with the vendor, and automated deprovisioning based on contract end dates. Many organisations miss this entirely—they provision vendor accounts but never actively manage them.
4. Supply Chain Risk as an IGA Metric
Identity governance and administration teams should report supply chain identity risk as a distinct metric to the board and the CISO. How many vendor identities are active? How many have been reviewed in the past year? How many will be auto-deprovisioned when contracts end? These numbers belong in risk dashboards.