How to Govern Identities You Don’t Own

In today’s enterprise, your user base extends far beyond employees. Contractors, vendors, partners, franchisees, gig workers, interns, consultants, joint ventures—you name it. These are people (and sometimes orgs) who need access to your systems, your data, and your customers.

But here’s the problem: they don’t live in your HR system. And if you don’t own the authoritative source of truth, you’re left trying to manage risk with one hand tied behind your back.

Who requested their access?

Who approved it?

Who’s responsible for removing it when the job ends?

If you can’t answer those questions in real-time, you’re not governing external identities. You’re just hoping they don’t become your next breach headline.

Most organizations have reasonably mature JML (Joiner-Mover-Leaver) processes for full-time employees. But for non-employees?

It’s a different story.

Provisioning is often ad hoc. Contractors are added directly to Active Directory. Vendors get accounts in business-critical apps like Salesforce or Workday, but without a clear owner. There’s rarely a formal offboarding process. And expiration dates? Optional at best. This is how orphaned accounts happen. And orphaned accounts are exactly what threat actors look for. In fact, one of the most commonly cited issues during breach investigations is the presence of unmanaged or unexpired third-party accounts—identities that had access long after their engagement ended, often without oversight or even awareness by the identity team.

And it’s not just a breach risk. In regulated industries, unmanaged external accounts can lead to compliance violations, audit failures, and hefty fines. The only thing worse than an unauthorized user getting in is finding out they were authorized, and nobody knew why.

Many companies try to solve the external identity challenge by implementing federation or SSO. And yes—federation is a great start. It eliminates password management, enforces MFA at the source, and improves the user experience.

But federation alone doesn’t solve the bigger problem.

It doesn’t help you decide who should get access, or for how long. It doesn’t establish ownership. And it certainly doesn’t help when you need to answer, “Who approved this?” during your next audit.

Without governance around federated identities, you’ve essentially outsourced identity control without implementing identity accountability.

So how do you govern identities you don’t technically own?

Start by anchoring them in something you do control: sponsorship and accountability.

Every external user should have a clear sponsor inside your organization. That sponsor should request the access, justify it, and be responsible for certifying it regularly. No sponsor? No access. Next, assign a lifecycle to every external identity. Use start and end dates. Implement auto-expiration policies and require access justification for extensions. When the engagement ends, so should the access.

And don’t stop at provisioning. Include external identities in your access reviews and risk scoring models. They may not be employees, but they still touch your systems, your customers, and your compliance obligations.

One of the most overlooked yet essential components of external identity governance is identity proofing—the act of verifying that someone is who they claim to be before they’re granted access to your systems.

In a traditional enterprise, identity assurance came from HR onboarding, background checks, and a corporate-issued device. But in a decentralized, hybrid, and SaaS-first environment, the “employee directory” no longer tells the full story. Contractors, vendors, and partners are often onboarded outside of HR systems. That means you are responsible for establishing trust—and doing it fast, without compromising security.

This is where identity proofing comes in.

At the most basic level, proofing can involve validating government-issued IDs. This step is critical in high-risk industries like financial services and healthcare, where verifying someone’s legal identity is necessary for both compliance and risk mitigation. More advanced implementations layer on biometric checks—verifying that the face or fingerprint presented matches the person on the ID, and even that the interaction is happening in real time.

This is where vendors like iProov shine. Their biometric face authentication solutions aren’t just matching faces—they’re using liveness detection and deepfake resistance to ensure the person on the other end of the screen is real, present, and not being spoofed. This kind of assurance is vital for high-stakes access, such as granting contractors access to privileged financial systems or compliance-sensitive healthcare platforms.

Then there’s Socure, which takes a data-driven approach. Socure combines identity proofing, fraud signals, and machine learning to deliver predictive identity confidence scores. Their platform uses thousands of signals—from device fingerprinting to behavioral biometrics—to reduce false positives and improve conversion rates. This is especially useful when you need to balance user experience and risk, such as in onboarding workflows for external partners or customers where friction can hurt business velocity.

For organizations looking to plug proofing into a broader identity orchestration framework, IDDataweb offers a modular, API-first platform that integrates real-time verification checks into IAM workflows. Their Attribute Exchange Network (AXN) connects to authoritative data sources (DMV records, telcos, government agencies) and provides on-demand validation of identity attributes. This is ideal for enterprises implementing adaptive identity workflows—where access decisions change based on risk level, context, and proofing confidence.

Together, these vendors help modern IAM programs do more than just authenticate credentials—they help verify the human behind the credential, and provide assurance that the access being granted is going to the right person at the right time, for the right reason.

In the context of a Zero Trust architecture, identity proofing isn’t just the front door—it’s the lock, the security camera, and the bouncer with the guest list. It ensures that every external identity is scrutinized with the same level of confidence as internal ones, if not more.

As enterprises continue to expand their digital borders and rely on users they don’t directly employ, identity proofing isn’t a luxury or an add-on. It’s a foundational control. If your IAM program doesn’t include it, you’re not governing identities—you’re guessing.

There’s a trap many organizations fall into—and it starts with convenience.A business unit brings in a contractor. A partner needs access to a shared portal. A vendor asks for integration into your support system. And to keep things moving, someone on the IT or security team does what feels like a small favor: grants the access and moves on.No lifecycle. No expiration date.

No defined owner.

And because that identity isn’t in Workday or Azure AD in the traditional sense, it quietly drifts out of view. No one checks its entitlements during certification cycles. No one revisits the risk posture as time passes. That account could have access for six months—or six years. You won’t know unless you’re looking.

This is how third-party access turns from a collaboration enabler into a ticking time bomb.

Let’s be honest—governing identities you don’t own is messy. It’s politically tricky. It often lacks clear lines of accountability. But that doesn’t make it optional. In fact, it’s the very reason it needs more attention.

Whether that account is tied to your employee or not…

Whether it was provisioned through your HR system or by a business lead…

Whether the user logs in once a day or once a year…

If they can touch your systems, your data, or your customers, your organization is accountable for what they do.

And that means you either implement governance or you inherit risk.

So the next time a request comes in—“Can we just give them access?”—treat it for what it really is: a contract. A contract between your company and an identity you didn’t hire, can’t see, and don’t control.

And if you’re going to sign that contract, make sure your IAM program is ready to enforce the terms.

Because responsibility without control doesn’t reduce the consequences. It just reduces your ability to respond when something goes wrong.