The world’s pharmacy that supplies over 60% of global vaccine demand is projected to reach a market size of $130 billion by 2030*. This remarkable growth is powered not just by scientific innovation, but also by the sector’s ability to adopt and scale digital transformation. Having worked closely with pharmaceutical leaders on this journey, I’ve seen firsthand how identity security often becomes a blind spot. Unmanaged or orphaned credentials – especially those of third-party vendors, contractors, and former partners that linger long after engagement ends – pose a serious and often overlooked risk.

The duality of third-party relationships

India’s pharmaceutical ecosystem is vast and interconnected. From contract research organisations (CROs) and trial sites to logistics partners and outsourced information technology staff, third-party players are ingrained in every phase of the value chain. Third-party relationships now account for more than 40% of operational dependencies in the Indian pharmaceutical industry, according to KPMG’s 2025 report on pharma supply chain risks.

This intricacy poses both a risk and a strength. While it allows for scale and agility, it also produces disjointed identity landscapes. Credentials tend to be transmitted informally, access rights are seldom removed in time, and insight into who has access to what and why is appallingly low.

What you don’t see coming

Dormant access is when those credentials are still active when the user no longer needs them. In pharma, this might be a CRO analyst who finished conducting a trial six months prior but still has access to the data repository, or a vendor whose admin account was never turned off following a system upgrade. These “ghost accounts” are the ultimate targets for lateral movement, privilege escalation, and data exfiltration. A recent ICICI Lombard sector report highlighted that regulatory non-compliance due to unmanaged access is among the top five risks facing Indian pharma firms. And with the Digital Personal Data Protection (DPDP) Act now effective, the stakes have never been greater.

The cost of inaction

Let’s talk numbers. According to IBM’s 2024 Cost of a Data Breach Report, the average cost of a breach in the pharma sector is ₹17.5 crore ($2.1 million), with third-party access cited in 19% of incidents. In India alone, where pharma exports are likely to surpass ₹2.5 lakh crore by 2028, a single breach can risk global alliances, regulatory approvals, and investor confidence.

Moreover, reputational loss is more difficult to measure but much longer-lasting. In a business founded on trust with regulators, patients, or partners, security weaknesses can destroy credibility overnight.

Why traditional identity governance isn’t enough

Most pharma companies are dependent on aged Identity and Access Management (IAM) systems that centre around employee access. Third-party identities, however, act in various ways. They’re temporary, diverse, and usually don’t have rigorous onboarding procedures. Without advanced identity security, the systems cannot identify silent access or impose least privilege rules.
What’s required is a move from static IAM to smart identity security solutions that regularly watch access behaviour, raise alerts on anomalies, and deprovision automatically with changes in roles or contract termination.

Finding the right cure

I often advise pharma CXOs to view identity security as a strategic enabler of growth and trust, not just another compliance requirement. For Indian pharma, three priorities stand out:

• Regularly review who has access: Just as you would audit supply chains or clinical trial data, it’s vital to map out who has access to critical systems, whether ERP, LIMS, CRM, or cloud platforms, and close gaps like dormant or unnecessary access.
• Build access around the business lifecycle: Access should follow the rhythm of pharma operations, from research to trials to regulatory approvals. Once a project or contract ends, access should end automatically, reducing risk.
• Use intelligence to spot risks early: With AI-powered identity security tools, companies can flag unusual access behaviour and ensure people only have the level of access they truly need – freeing leaders from manual oversight.

With the DPDP Act emphasising purpose limitation and data minimisation, companies now need to justify every instance of access, not just where data is stored, but also who touched what, when, and why. Global regulators such as the US FDA and EMA are also sharpening cybersecurity expectations. For Indian pharma companies aspiring to win international approvals, strong identity security isn’t optional – it’s foundational to trust, compliance, and sustainable growth.

Also read: AI in Law: Efficiency with Responsibility

Looking ahead

As with any industry, even for Indian pharma, growth without governance is a formula for risk. As we adopt AI, cloud, and smart manufacturing, we also need to adopt intelligent identity security. Latent access can be out of sight, but not out of mind. It’s high time we bring it out in the open and ensure the future of Indian pharma one molecule at a time, one identity at a time.

Views expressed by: Abhishek Gupta, GVP – India, SailPoint

Like

Dislike

Be a part of Elets Collaborative Initiatives. Join Us for Upcoming Events and explore business opportunities. Like us on Facebook , connect with us on LinkedIn and follow us on Twitter , Instagram.

Disclaimer: The views and opinions expressed in this article are solely those of the author and do not necessarily reflect the official policy or views of any organisation. The content is intended for informational and educational purposes only and should not be construed as medical advice.

"Exciting news! Elets technomedia is now on WhatsApp Channels Subscribe today by clicking the link and stay updated with the latest insights!" Click here!