SailPoint NERM Non-Employee Risk Management
Contractors, vendors, auditors, and service accounts routinely outnumber employees in the modern enterprise, yet most identity programs are built around the HR system of record and treat everyone else as an afterthought. SailPoint NERM (formerly SecZetta) governs the non-employee population with the same rigor - sponsor accountability, time-bound access, and continuous risk scoring - that regulated organizations already expect for their workforce. GCA implements SailPoint Non-Employee Risk Management and integrates it with your existing identity governance program.
What Is SailPoint NERM?
SailPoint NERM - Non-Employee Risk Management - is a purpose-built identity platform for the population that traditional identity governance and administration programs consistently underserve: contractors, consultants, vendors, auditors, franchisees, board members, and increasingly, non-human identities such as service accounts and bots. SailPoint acquired SecZetta in 2023 and has continued to develop the platform under the NERM name as a dedicated non-employee identity risk solution, distinct from - but designed to integrate with - SailPoint IdentityIQ and Identity Security Cloud.
The reason NERM exists as its own category, rather than as a feature bolted onto core identity governance, is structural. Most identity programs are built around the HR system of record: an employee is hired, appears in the HRIS, and identity governance takes it from there. Non-employees rarely enter through that path. They are onboarded through procurement, legal, staffing agencies, or a business unit's own spreadsheet - long before, if ever, they touch an identity governance workflow. SailPoint NERM is designed to be the authoritative source for exactly this population: identities that are real, that need access, and that no single system of record fully owns.
The Non-Employee Identity Risk Problem
Every regulated organization we have worked with carries some version of the same exposure. Contractor and vendor accounts are provisioned quickly to unblock a project, and there is no equally fast, equally reliable process to deprovision them when the engagement ends. Sponsorship - the internal employee accountable for why a non-employee has access - is informal or undocumented, so when that sponsor leaves the organization, the non-employee identity they were responsible for becomes orphaned rather than automatically flagged for review. Risk scoring, where it exists at all, is applied inconsistently between departments that source contractors differently.
The consequence shows up first in audit findings: unsupportable access, entitlements with no documented business justification, and accounts that outlived the engagement that created them. In our experience, non-employee access accounts for a disproportionate share of the "who authorized this" findings identity auditors raise, precisely because the identity lifecycle discipline applied to employees was never extended to everyone else touching the environment.
This is not a niche problem. Non-employee populations - contractors, managed service provider staff, temporary workers, and third-party partners - frequently rival or exceed employee headcount in industries that rely heavily on outsourced labor, seasonal staffing, or extended supply chains: healthcare (traveling clinicians, locum physicians, credentialed vendors), financial services (consultants, auditors, outsourced operations staff), energy and utilities (engineering contractors, OEM support personnel), and manufacturing (temporary labor, supply-chain partners). Each of these verticals also carries specific regulatory exposure - HIPAA minimum-necessary access for clinical contractors, SOX segregation of duties for financial consultants, NERC CIP personnel risk assessment for utility contractors - that a spreadsheet-based non-employee process cannot demonstrably satisfy.
SailPoint NERM Capabilities
Identity Proofing and Risk-Based Onboarding
NERM applies identity proofing and configurable risk assessment at the point of onboarding, before access is ever granted. Non-employees are evaluated against risk criteria specific to their type, engagement, and the systems they will touch - not treated as a single undifferentiated population.
- Identity proofing workflows scoped to non-employee type (contractor, vendor, auditor, service account)
- Configurable risk criteria at intake: engagement type, data sensitivity, system access requested
- Collection of the source records - contracts, engagement letters, background check status - that make a risk decision defensible
- Integration with existing background screening and vendor risk management processes
Lifecycle Management for Contractors, Vendors, and Bots
NERM manages the full lifecycle of non-employee identities - including non-human identities such as service accounts, RPA bots, and API-driven integrations - from onboarding through engagement changes to offboarding, without relying on the HR system that governs employee lifecycle.
- Multiple non-employee "types" with distinct lifecycle rules and access templates
- Engagement-based provisioning tied to contract start and end dates, not open-ended access
- Support for non-human identities - service accounts, bots, and integration accounts - as first-class, governed identities
- Automated offboarding triggered by contract end, engagement closure, or sponsor action
Sponsor Accountability and Time-Bound Access
Every non-employee identity in a properly configured NERM deployment has a named sponsor, an explicit business justification, and a defined expiration date. This is the structural control that eliminates the "nobody remembers why this contractor has access" finding.
- Named sponsor and documented business justification required at onboarding
- Access defaults to time-bound rather than standing, with renewal requiring active re-attestation
- Automated re-sponsorship workflow when a sponsor leaves the organization or changes roles
- Escalation and automatic access suspension when sponsorship lapses without resolution
Risk Scoring and Continuous Monitoring
NERM applies continuous, configurable risk scoring to the non-employee population rather than a one-time assessment at intake. High-risk populations - privileged contractors, vendors with access to regulated data, or identities flagged by external screening - can be surfaced for accelerated review.
- Configurable risk scoring models weighted by access sensitivity, engagement type, and history
- Continuous monitoring rather than point-in-time risk assessment
- Risk-based prioritization for access certification and manual review
- Integration with third-party risk intelligence and vendor risk management platforms
Self-Service Onboarding Portal
A self-service portal shortens time-to-productive-access for legitimate non-employees while keeping every request routed through the correct approval chain - procurement, legal, security, or the business owner - rather than an email thread.
- Self-service intake configured around the client's actual procurement, legal, and security approval chains
- Structured data capture at intake replacing free-text justification and spreadsheet tracking
- Delegated administration for staffing agencies and vendor management offices submitting on a non-employee's behalf
- Status visibility for sponsors and requesters throughout the approval process
Attestation and Audit Evidence
Sponsor re-attestation, access certification, and non-employee inventory reporting produce the audit evidence that non-employee access is reviewed on a defined cadence - not assembled retroactively when an auditor asks.
- Scheduled sponsor re-attestation distinct from standard employee access certification campaigns
- Non-employee inventory and risk reporting for internal audit and regulatory review
- Evidence packaging that ties each active non-employee identity to a current sponsor, justification, and expiration date
- Reporting scoped to the regulatory frameworks driving the engagement - HIPAA, SOX, NERC CIP, and others
How GCA Implements NERM
NERM delivers the most value when it is not treated as an island. GCA's implementation approach starts with an inventory of the client's actual non-employee sourcing paths - procurement, staffing agencies, business-unit-direct engagement, franchise relationships - because those paths determine how onboarding should be structured, not a generic template. From there, we design the sponsor accountability model, engagement-based lifecycle rules, and risk scoring criteria against the client's real regulatory exposure, then integrate NERM with the existing SailPoint IdentityIQ or Identity Security Cloud environment so non-employees flow into the same provisioning, certification, and segregation-of-duties fabric that already governs the employee population.
That integration step matters more than it might appear. A non-employee governance program that runs entirely separate from core IGA produces a second silo, not a solution - two populations, two certification cadences, two sets of audit evidence that do not reconcile. GCA configures NERM so it becomes one governance model with two identity sources, which is the outcome auditors and security teams are actually looking for.
Assess
Inventory non-employee sourcing paths, current onboarding and offboarding processes (or lack of them), existing risk scoring practices, and the regulatory frameworks driving the engagement.
Design
Define non-employee types and lifecycle rules, sponsor accountability workflows, risk scoring criteria, and the approval chains the self-service portal needs to route against.
Implement
Configure NERM, integrate with IdentityIQ or Identity Security Cloud for shared provisioning and certification, and connect source systems - procurement, staffing agency feeds, contract management - where they exist.
Operate
Run sponsor re-attestation and risk-based certification campaigns, tune risk scoring as the non-employee population changes, and maintain the integration as connected systems evolve. Available as an ongoing managed service through GCA's managed identity practice.
Who Needs Non-Employee Risk Management
Non-employee identity risk is not exclusive to any single industry, but it is most acute - and carries the most direct regulatory consequence - in sectors that rely heavily on third-party labor and hold regulated data. Healthcare organizations manage credentialed clinical contractors and locum physicians against HIPAA minimum-necessary access requirements. Financial services firms manage consultants and outsourced operations staff against SOX segregation-of-duties controls. Energy and utility operators manage engineering contractors and OEM support personnel against NERC CIP-004 personnel risk assessment and access revocation requirements. Government agencies and contractors manage large contractor workforces under identity, credential, and access management (ICAM) obligations that require proofing and lifecycle controls distinct from federal employee processes.
In each of these cases, the underlying problem is the same one NERM is built to solve: the organization's identity governance program has structured discipline for employees and none for everyone else, and auditors, regulators, or both are asking why.
Frequently Asked Questions
What does NERM stand for, and how is it different from SecZetta?
NERM stands for Non-Employee Risk Management. SailPoint acquired SecZetta in 2023 and has continued developing the platform's non-employee identity risk capabilities under the SailPoint NERM name - you may also see it referred to as NERM SailPoint or NERM SecZetta in older documentation, but it is the same underlying product lineage. The core capability - governing identities outside the HR system of record with sponsor accountability, risk scoring, and lifecycle automation - has not changed; the branding has.
Do we need NERM if we already have SailPoint IdentityIQ or Identity Security Cloud?
Most likely yes, if non-employees make up a meaningful share of your access population. Core IGA platforms are built around identities sourced from an HR system. Non-employees typically enter the organization through procurement, staffing agencies, or business units directly, which means they never reliably appear as clean, timely records in the HR feed that IGA depends on. NERM is designed to be the authoritative source for exactly that population, and to integrate with IdentityIQ or Identity Security Cloud so non-employees are governed under the same certification and access model as everyone else, rather than in a separate, disconnected process.
Can NERM govern non-human identities like service accounts and bots?
Yes. NERM supports non-employee "types" beyond human contractors and vendors, including service accounts, RPA bots, and integration accounts, with sponsor accountability and lifecycle rules that apply to those identities as well. This matters increasingly as non-human identities proliferate faster than human ones in most enterprise environments.
What happens to non-employee access if the sponsoring employee leaves the company?
In a properly configured NERM deployment, sponsorship is tracked as a first-class attribute of the non-employee identity, not an informal note. When a sponsor leaves or changes roles, the platform can automatically trigger a re-sponsorship workflow, routing the identity to a new accountable owner for review. If no new sponsor is assigned within a defined window, access can be automatically suspended - preventing the identity from becoming an orphaned account with nobody accountable for it, which is one of the most common non-employee audit findings.
How long does a NERM implementation typically take?
Timelines depend heavily on how many non-employee sourcing paths exist and how much integration with procurement, staffing agency, and contract management systems is required. A focused deployment covering one or two non-employee types with a defined sponsor model can move faster than a program spanning contractors, vendors, franchisees, and non-human identities across multiple business units. In our experience, the discovery phase - inventorying how non-employees actually enter the organization today - is often the pacing factor, more than the platform configuration itself.
Does non-employee risk management apply outside regulated industries?
The underlying access risk - unaccountable sponsorship, orphaned contractor accounts, inconsistent onboarding - exists in any organization with a meaningful contractor or vendor population, regardless of sector. Regulated industries face the sharpest consequences because a specific standard (HIPAA, SOX, NERC CIP, or federal ICAM requirements, depending on the sector) gives an auditor or regulator explicit grounds to test non-employee access controls. Organizations outside those sectors still carry the operational and fraud risk; they simply face it without a named regulatory citation attached.
Related SailPoint Solutions
SailPoint Overview
GCA's full SailPoint practice across IdentityIQ, Identity Security Cloud, and NERM.
SailPoint IIQ to ISC Migration
Migrating from SailPoint IdentityIQ to Identity Security Cloud, phased and audit-continuous.
Identity Governance
Access certification, RBAC, and segregation-of-duties across the major IGA platforms.
Govern Every Non-Employee Identity, Not Just Your Workforce
From sponsor accountability to risk-based onboarding and audit-ready evidence - GCA implements SailPoint NERM and integrates it into your existing identity governance program.