Report Finds Two‑Thirds of Service & Bot Accounts Unmanaged, Raising Supply‑Chain Risk
What Happened – Orchid Security’s “Identity Gap” report reveals that roughly 66 % of non‑human (service, bot, and machine) accounts across surveyed enterprises are neither discovered nor managed. The lack of visibility creates attack surface for credential theft, privilege abuse, and automated credential‑spraying campaigns.
Why It Matters for TPRM –
- Unmanaged service accounts can be leveraged to pivot into critical vendor environments.
- Third‑party risk assessments often overlook non‑human identities, leading to blind spots in supply‑chain security.
- Compromise of these accounts can result in data exfiltration or ransomware deployment without triggering traditional user‑behavior alerts.
Who Is Affected – Enterprises with extensive cloud, SaaS, and DevOps footprints; particularly technology/SaaS, cloud infrastructure, and financial services firms that rely heavily on automated workloads.
Recommended Actions –
- Conduct an inventory of all service, bot, and API accounts across cloud and on‑prem environments.
- Enforce strict lifecycle management (creation, rotation, de‑provisioning) for non‑human identities.
- Integrate automated discovery tools into third‑party risk monitoring programs.
Technical Notes – The report cites common gaps such as lack of IAM policy enforcement, missing credential rotation, and inadequate logging of service‑account activity. No specific CVEs are mentioned; the risk stems from misconfiguration and credential‑management failures. Source: HackRead