In the wake of the largest educational data breach on record targeting Instructure’s Canvas, higher education IT leaders are being pushed to formalize vendor-risk management. The breach impacted an estimated 275 million students, teachers, and staff across about 9,000 institutions. A new advisory highlights immediate response steps taken by universities—including real-time Canvas user warnings—and frames the long-term need for systematic controls around vendor access, incident response readiness, and communication playbooks across campus stakeholders. For colleges and universities, the breach raises a governance question: how to ensure third-party learning platforms meet institutional security expectations, especially for identity management and authentication workflows that touch both student services and research administration.