Credential Sharing Is Not Carelessness. It’s a Symptom of Failed Governance
Magnific.com
Ammar Faheem, Director Product Marketing (CIAM)
Summary: Credential sharing among B2B partners is rarely a security culture problem. It is a governance failure. When access provisioning is too slow, too opaque, or too dependent on host organization workflows, third parties find workarounds, and those workarounds become silent security debt. Data from the Thales Digital Trust Index 2026 shows that 66% of partner users have shared or borrowed credentials, with 53% citing slow official processes as the reason. The fix is not tighter restrictions. It is smarter delegation.
—-
According to the Thales Digital Trust Index 2026 report, 66% of partner users have shared or borrowed credentials.
Their intent was likely not malicious, but rather a move made in operational desperation.
Per the report, only 22% of B2B partners receive system access or login details immediately upon starting. Anxious to get the job done and meet quotas, many turn to sloppy workarounds to sidestep cumbersome IAM and onboarding processes and access necessary systems.
Shadow access is more often the result of design failures than of user recklessness. This is squarely a governance problem, and it’s up to host organizations to fix it.
Partners Don’t Want to Wait to Deliver Value
A look at current B2B provisioning frameworks would suggest that partners are more eager to deliver value than host orgs are to receive it.
In the Thales research, among the nearly two-thirds who have shared or borrowed credentials, 53% did so because provisioning processes were too slow. When official processes can’t keep pace with operational needs, users don’t wait; they find whatever works, risk and all to get the job done.
This lines up with what Gartner vice president analyst Chris Mixter explains: “In general, cybersecurity puts control in place that they can deliver at scale, but employees experience a lot of friction in complying, so they find ways around it.”
This friction is the problem that leads to even more problems.
When users abandon login processes or are forced to delay, it’s not just productivity that’s lost. Security debt builds up as users pass credentials around – maybe via Slack or text – and unsafe workarounds turn into silent opportunities for threat actors and opportunists. Sacrificing security because normal processes are too slow isn’t defensible in year-end reviews.
Third Parties Willing to Take On Access Themselves
Even though it would entail additional operational overhead, B2B partners have indicated a willingness to handle their own identity and access management if it means getting things done faster.
According to the report, 54% want the ability to reset their own authentication factors, and 52% want personal access to their current entitlements. No middleman. No central IT gumming up the works.
Users wanted a self-service portal where “external partners could…review their access without so much bureaucracy,” and “improved automation workflows” were also requested to reduce delays in access granting.
Third parties benefit as much from the partnership as the host organization, and don’t want their deliverables, metrics, and services held up by IAM processes that treat them like a third priority. They feel much more comfortable when access and provisioning are in their own hands.
The Legal Implications of Sharing Access Governance
However, most organizations that are unsure of where the legal line is drawn feel naturally more comfortable with partner IAM in-house.
The reality is that it’s a mixed bag: the Thales research reveals the gap between intent and execution: while nearly half (49%) of organizations currently offer self-service capabilities to partners, that still leaves the majority without them, meaning most partners remain dependent on host organization ticket queues and manual workflows to get access.
However, while the presence of a shared model is good, it also suggests that the partner onboarding process could be inconsistent across organizations: reintroducing the friction that the shared model was designed to eliminate.
The way to realign is and always has been to map to established frameworks.
- NIST SP 800-53 establishes supplier risk (SR) controls to ensure partners meet criteria like access restrictions and least-privilege access.
- NIST CSF 2.0 emphasizes the governance of the “extended business ecosystem – suppliers, vendors, and partners.”
- ISO 27001 requires host organizations to manage risk from service providers and external suppliers (in alignment with NIST mappings).
- SOC 2 states that SaaS and cloud vendors must manage vendor risk and access to data, with audits scrutinizing third-party integrations and partner access provisioning.
- DORA in the EU mandates that financial institutions manage ICT third party risk across the lifecycle; from access to termination. Explicitly enforced is third-party IAM governance and vendor access monitoring on a continual basis.
Most cybersecurity standards have moved away from treating third parties as separate entities when it comes to governance and accountability. Instead, partners are treated as extensions of your identity perimeter.
This puts the legal ball squarely in the host organization’s court for B2B IAM, partner onboarding, and lifecycle and access management. Consequently, many are reluctant to hand that ball over to partner entities that don’t bear the ultimate compliance responsibility for it, and yet the weight of partner IAM governance still needs to be shared.
The Delegated User Management model solves both problems.
Extended Enterprise Access Shares Work, Keeps Control
Extended Enterprise Access lets host organizations maintain overarching control over identity systems, through capabilities such as Delegated User Management, while still giving third parties the IAM autonomy they want.
- Host Organization: Own the IAM relationship and delegates access rights and controls to the partners. While access is shared (on a pre-determined basis), applications and data remain under the host’s control.
- Partner Delegation: The pre-determined IAM privileges are officially handed over to the third party (a Delegated Manager). This manager is the proxy IAM admin for the partner-side users.
- Access Granted: The partner organization can grant, revoke, or update access to keep pace with business needs. This is done by the Delegated Manager, without having to enter host organization ticket queues or workflows.
- New Access Requests: When a new user on the partner side wants to request access (that wasn’t there before), the Delegated Manager still acts as point-person to make those requests with the host, streamlining the process.
The result is the best of both worlds: the host organization retains full control over data, applications, and IAM policies (they are, after all, the one who will bear 100% compliance responsibility). But within the scope that they have allotted, the third party is allowed to perform designated IAM tasks that can take the burden off the host and enable the partner to get access to the things they need when they need it.
Don’t let B2B access to interfere with the bottom line
There is never a good reason for allowing B2B access to interfere with the bottom line. Once things reach that point, structural change is needed.
If partner access introduces so much friction that people are forced to resort to insecure authentication, then B2B IAM has just risen from an IT problem to an organizational risk. And that makes it everyone’s problem.
Ammar is a digital transformation leader specializing in Product Marketing with a focus on B2C Customer Identity and Access Management (CIAM) within the Identity and Access Management (IAM) sector at Thales. He is a recognized thought leader in digital banking and payments, sharing insights at various international conferences and authoring articles for industry publications. When not implementing strong customer authentication and fraud prevention strategies, Ammar enjoys a nice game of cricket!
About Author
