A method for external access control to protect system-on-chip (SoC) subsystems and stored subsystem assets is described. The method includes sensing, during a cold boot of an SoC hardware system, a debug fuse vector for access to SoC subsystems of an SoC owner and/or third-party subsystems of an SoC hardware architecture. The method also includes disabling access to each SoC subsystem with a blown fuse in the debug fuse vector. The method further includes re-enabling, by a secure root of trust, access to an SoC subsystem and/or a third-party subsystem for an external debugger when authentication of one or more debug certificates of a third-party owner of the external debugger is successful.