Access Provisioning

Access provisioning is the process of creating and assigning permissions to a person, application, or workload. In mature IAM and NHI programs, provisioning is not just account creation. It includes scope control, ownership, and a defined path for revocation when the access is no longer needed.

Expanded Definition

Access provisioning is the operational step that turns identity decisions into live permissions. In NHI programs, it covers not only account creation but also role assignment, ownership, scoping, and the approval path that determines who or what can act, call APIs, or reach infrastructure.

Definitions vary across vendors when provisioning is discussed alongside onboarding, entitlement management, and workflow automation, but no single standard governs this yet. For that reason, practitioners should treat provisioning as a lifecycle control, not a ticketing task. In Zero Trust Architecture, access should be continuously justified and limited to the minimum necessary scope, which aligns with the guidance in OWASP Non-Human Identity Top 10 and the lifecycle framing in NHI Lifecycle Management Guide.

The most common misapplication is treating access provisioning as a one-time setup, which occurs when teams issue credentials without binding them to ownership, expiry, and revocation triggers.

Examples and Use Cases

Implementing access provisioning rigorously often introduces approval and coordination overhead, requiring organisations to weigh speed of delivery against control over standing privilege.

• A CI/CD pipeline receives a scoped service account only for the repositories and environments it deploys to, rather than broad workspace access.
• An AI Agent is granted tool access for incident triage, but its permissions expire automatically after the workflow ends and are reviewed against Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs.
• A third-party integration is provisioned with read-only API keys and explicit ownership, reflecting the supply chain risk patterns discussed in Top 10 NHI Issues.
• A human operator requests elevated access for a maintenance window, then receives just-in-time credentials instead of a permanent privileged role.
• Provisioning logic is embedded into onboarding workflows so the entitlement is tied to a business function and revoked when the workload is decommissioned.

These patterns align with the intent of the OWASP Non-Human Identity Top 10, which treats weak lifecycle handling as a security issue, not an administrative convenience.

Why It Matters in NHI Security

Access provisioning matters because most NHI failures are not caused by the initial request for access, but by what happens after it is granted and forgotten. NHI Mgmt Group research shows that Ultimate Guide to NHIs reports 97% of NHIs carry excessive privileges, which means provisioning decisions often outlive their intended business purpose and expand the attack surface.

When provisioning is unmanaged, organisations accumulate stale accounts, overbroad roles, and unowned service credentials that are difficult to review. That creates direct friction with Zero Trust and least-privilege programs, especially when access is issued outside a governed lifecycle or without clear revocation criteria. It also increases the chance that secrets remain valid long after the original need has disappeared, a pattern repeatedly highlighted in 52 NHI Breaches Analysis.

Organisations typically encounter access provisioning as a critical issue only after a breach, service outage, or audit finding exposes unmanaged entitlements, at which point the term becomes operationally unavoidable to address.

Related resources from NHI Mgmt Group

• What is the difference between just-in-time provisioning and just-in-time access?
• What is the difference between access certification and provisioning?
• What is the difference between onboarding access and NHI provisioning?
• What is Just-in-Time (JIT) access and why is it important for NHI security?