Third-party access is a counter-intelligence problem

The vendor passed your review. The questionnaire came back clean. The SOC 2 was current, the contract was signed, and access was granted. That was six weeks ago.

Here is what you do not know: what happened to that vendor in the six weeks since.

Most third-party risk programs answer one question well. They tell you whether a vendor was acceptable at the time of evaluation. They are not built to tell you whether that vendor remains acceptable today. And that gap is where the compromises are living.

Verizon's 2026 Data Breach Investigations Report, published May 19, 2026, puts a number on it. Breaches involving a third party now account for 48% of all breaches. Third-party involvement is up 60% year over year. That is not a fluke. That is a structural shift in where the exposure actually is. Attackers have learned what the paperwork covers and learned to work around it.

The question that matters is not whether your vendors passed review. It is whether they have changed since you last looked.

Why approved vendors become attack paths

When a vendor gets access to your environment, they bring their whole posture with them. Their developers. Their open-source dependencies. Their subcontractors. Their credential hygiene. Their staff retention. Their parent company. Their financial stability.

None of that is static. And almost none of it shows up in a vendor questionnaire.

A vendor can pass a controls audit in January and have a compromised developer account by March. They can pass a penetration test summary and have a supply-chain dependency quietly taken over by a malicious contributor. They can hold a current ISO 27001 certificate and be in the middle of a merger that changes who actually controls the entity.

We covered this in detail in Vendor Risk Assessment Is Not Supply-Chain Intelligence: the compliance artifact is a snapshot, not a state of being. The vendor was secure on the day they were audited. They have not, and cannot, be audited every day. The access, however, is live every day.

That is the real surface. Not the paperwork. The ongoing relationship.

What 2026 incidents are actually telling us

Three incidents from early 2026 are worth reading carefully, because together they illustrate how trusted relationships become the attack path.

In March, Microsoft published its analysis of the Trivy supply-chain compromise. The campaign did not target Trivy directly in the first instance. It weaponized the trusted distribution channel: the project's core binary, its GitHub Actions pipelines. From there, the compromise expanded into Checkmarx KICS, LiteLLM, and Bitwarden CLI. The mechanism was inherited trust. Each downstream tool pulled from an upstream source that had been quietly poisoned. None of those downstream tools had done anything wrong. They had trusted a dependency the way they always had.

In May, Microsoft documented a phishing campaign targeting more than 35,000 users across more than 13,000 organizations in 26 countries. The campaign ran between April 14 and 16, 2026. What made it effective was not technical sophistication. It was believable organizational context. The messages used legitimate delivery infrastructure and fully authenticated sends. They looked like something a vendor or counterpart might actually send. The attack surface was the trust that already existed between organizations.

In April, the UK's National Cyber Security Centre warned that APT28 had been exploiting small office and home office routers to overwrite DNS settings and enable adversary-in-the-middle operations. Microsoft's parallel reporting identified over 200 organizations and 5,000 consumer devices affected. The router is not normally what organizations think of as a vendor risk. But anyone using compromised infrastructure to access your environment is introducing a threat path that your controls never see.

The pattern across all three: the attack moved through existing trust. Not through a door that was locked. Through a door that was open because it had been approved.

The difference between screening, assessment, and intelligence

These three terms get used interchangeably. They describe different things.

Vendor screening is the initial check. Criminal history, sanctions lists, adverse media, basic financial health. It answers the question: is there a reason not to engage with this company at all?

Vendor risk assessment is deeper. SOC 2 review, questionnaire analysis, controls evaluation, contractual obligations. It answers the question: does this vendor have documented evidence of adequate controls?

Vendor intelligence is something else entirely. It is current, continuous, and observational. It answers the question: is anything happening, right now, in or around this vendor that changes their risk to us?

These are sequential, but most programs stop at assessment and call it done. The World Economic Forum's Global Cybersecurity Outlook 2026 finds that while 66% of organizations evaluate the security maturity of their suppliers, only 33% comprehensively map their supply-chain ecosystems. Only 27% conduct incident simulation exercises with their supply-chain partners. Organizations recognize the problem in principle. They have not built the monitoring to match it.

That gap between recognition and monitoring is exactly where adversaries operate.

The supply chain risk intelligence function that closes this gap is not an extension of the assessment process. It is a separate discipline with a different methodology and a different cadence. Assessment happens at onboarding. Intelligence happens continuously.

Five post-onboarding indicators that warrant investigative review

Organizations that treat vendor approval as the finish line will miss all five. Each is a change in the vendor's actual posture, not their documented one.

Ownership or entity change is the one most organizations miss. A merger, acquisition, restructuring, or change in beneficial ownership changes who actually controls the relationship. The entity you screened may no longer be the entity that holds your access. New parent companies bring new affiliations, new financial pressures, and exposures that were not part of your original review. This requires a fresh assessment, not an assumption of continuity.

Key personnel turnover is the second. The contacts who understood your environment, your protocols, and your expectations may no longer be there. New staff do not inherit institutional knowledge about how access was granted or why it was scoped the way it was. Gaps in continuity are also gaps in accountability.

Subcontractor additions are the third, and the hardest to track. Many vendors add downstream suppliers without disclosure. Your vendor's access can become a subcontractor's access without your knowledge. The subcontractor may have no direct relationship with you and may have been through no vetting at all. This is what the WEF calls inheritance risk: vulnerabilities propagate through trusted relationships without appearing in any review.

Credential and access pattern changes are the fourth. Unusual authentication times, geographic anomalies, new device registrations, or access to resources outside the vendor's normal scope are all worth investigating. These do not require a major incident to be actionable. They are the precursors.

Financial or legal stress is the fifth, and the one that tends to accelerate everything else. A vendor under serious financial pressure, litigation, or regulatory scrutiny is a different risk than a stable one. Staff cuts can eliminate the people responsible for maintaining security controls. Legal exposure can motivate behavior that would not otherwise occur. Distressed vendors are also more likely to take on questionable third parties of their own.

None of these indicators appear in a questionnaire. They require active monitoring and a willingness to pull the thread when something changes.

How counter-intelligence thinking changes what you monitor

The counter-intelligence frame is useful here because it starts from a different premise than compliance.

Compliance asks: did the vendor meet the requirements? Counter-intelligence asks: is the vendor, or someone with access to the vendor, being used against us?

That is a harder question. It also catches more of what is actually happening.

Counter-intelligence applied to vendor relationships means treating the access relationship itself as a potential attack surface. It means asking whether the vendor's access pattern looks like a vendor doing their job, or like a vendor whose credentials are being used by someone else. It means monitoring for signs of targeting, and doing that before signs of compromise appear.

APT28's router compromise is instructive. The attack was not against the organizations' own infrastructure. It was against upstream devices that touched those organizations. The question counter-intelligence asks is: what else in our environment is being accessed through something we did not think to treat as a threat surface?

INTERPOL's March 2026 fraud assessment adds a related dimension. AI-enhanced fraud is now 4.5 times more profitable than traditional methods, and fraud sits at the intersection of organized crime, identity abuse, and impersonation. Vendors can be impersonated. Vendor relationships can be used as a pretext for social engineering. The trusted brand of a long-standing supplier is a credential in itself, and adversaries know it.

The behavioral monitoring that counter-intelligence provides is different from anomaly detection. Anomaly detection looks for statistical outliers. Behavioral intelligence asks whether the pattern, in context, is consistent with the stated purpose of the access. That requires human judgment and investigative capacity. A dashboard will not tell you.

What to ask before expanding or renewing vendor access

Most access expansion and renewal decisions happen on autopilot. The vendor has been in place. Nothing has gone wrong. The relationship continues.

That logic made more sense when the threat environment was slower. It does not work now.

Before expanding or renewing high-trust vendor access, the right questions are operational, not procedural: Has anything changed in the vendor's ownership structure, key personnel, or financial position since the last review? Has the vendor added subcontractors or downstream suppliers that have not been disclosed to us? Is there any adverse information in OSINT sources, litigation records, or regulatory filings that has appeared since the relationship was approved? Does the current access scope still match the current scope of work, or has access accumulated beyond what the relationship actually requires? Has the vendor's access pattern over the past period looked consistent with what we expect them to be doing?

These questions do not have a form. They require a review. For high-trust vendors with access to sensitive systems, executive data, or operational infrastructure, they require an investigative review.

That is a different product than the annual questionnaire cycle. It is also what the threat environment now requires.

What this means in practice

We have written elsewhere about the limits of vendor risk assessment as a compliance exercise and about how supply-chain identity abuse has moved from theory to documented incident pattern. The through-line across those articles and this one is the same: the paperwork describes what a relationship looked like at a point in time. It does not tell you what the relationship is.

Third-party access that looked clean at approval can be a different risk six weeks later. Ownership changes. Staff changes. Dependencies change. Financial positions change. Threat actors actively look for relationships that have been approved and then left unwatched.

The organizations that find this out the hard way are not the ones who failed to do vendor assessments. They are the ones who treated the assessment as the end of the question rather than the beginning of the monitoring.

Sequenxa conducts confidential third-party intelligence reviews focused on post-onboarding ownership drift, access-path exposure, personnel changes, and subcontractor visibility. If you have a vendor relationship that has expanded or remained in place without a substantive review, contact us to discuss what that review should cover.

Frequently asked questions

What is the difference between vendor risk assessment and vendor intelligence?

Vendor risk assessment is a point-in-time evaluation of a supplier's documented controls, typically completed at onboarding. It relies on self-reported questionnaires, compliance certifications, and audit artifacts. Vendor intelligence is a continuous function that monitors for changes in the vendor's actual posture after access is granted. These changes include ownership transfers, key personnel departures, subcontractor additions, credential anomalies, and financial or legal stress. Assessment answers whether the vendor passed review. Intelligence answers whether the vendor remains what they appeared to be when they passed.

Why does third-party risk increase after onboarding?

At onboarding, vendor access is scoped and the relationship is new. Over time, access tends to accumulate beyond the original scope, personnel change, subcontractors are added, and the vendor's own risk profile evolves. Simultaneously, the organization's attention moves to managing the relationship rather than reviewing it. Threat actors exploit this drift. According to Verizon's 2026 DBIR, breaches involving a third party now account for 48% of all breaches, up 60% year over year. The access that was approved is still open. The review that approved it is increasingly outdated.

What is a post-onboarding vendor intelligence review?

A post-onboarding vendor intelligence review is an investigative assessment of a vendor's current posture, conducted after initial approval and access have already been granted. It differs from an annual questionnaire cycle because it uses open-source intelligence, entity-level research, financial and legal records, access pattern analysis, and subcontractor mapping rather than self-reported documentation. The goal is to identify changes in the vendor's ownership, personnel, financial stability, or third-party dependencies that would materially affect the risk profile of their access.

What are counter-intelligence indicators in a vendor relationship?

Counter-intelligence indicators in a vendor relationship include: access occurring at unusual times or from unexpected geographic locations; authentication from new or unregistered devices; access to resources outside the vendor's stated operational scope; changes in the volume or frequency of access inconsistent with the current workload; newly added subcontractors or personnel with access to the vendor's own systems; and any evidence that vendor credentials or access paths are being tested, probed, or used by parties other than the vendor itself.

How often should high-trust vendor access be reviewed?

There is no single interval that applies to every relationship. High-trust vendor access should be reviewed when any material change occurs in the vendor's ownership, key personnel, financial position, or subcontractor structure. It should also be reviewed before any expansion of access scope and as part of any contract renewal decision. For vendors with access to executive data, operational infrastructure, or sensitive systems, ongoing behavioral monitoring should supplement periodic reviews rather than replace them.