Security teams should place policy checks at the issuer, not only at the application, for scopes that carry meaningful risk. The decision should use current context, grant type, and downstream impact so the same entitlement is not approved blindly across every request path. That keeps token creation aligned with live conditions instead of stale configuration.
Why This Matters for Security Teams
Runtime authorisation at token issuance is where security teams can stop overbroad access before it exists. In multi-application environments, the same NHI may request tokens for different tools, data stores, and automation paths, so static RBAC at the application layer is often too late. Current guidance suggests shifting the decision to the issuer and evaluating live context, because downstream impact changes with each request path. That is especially important when tokens are reused across SaaS, CI/CD, and internal services.
Entro Security found that 60% of NHIs are overused, meaning the same identity is shared by more than one application, which magnifies the blast radius when issuance is too permissive. NIST Cybersecurity Framework 2.0 reinforces the need to control access decisions as part of a wider identity and governance programme, not as an afterthought. The practical lesson is simple: if token creation is treated as a routine plumbing step, abuse often starts invisibly and is only noticed after cross-application access has already happened.
For incident context, the Salesloft OAuth token breach shows how issued credentials can become a pivot into sensitive data, while the Guide to the Secret Sprawl Challenge explains why issuance and storage must be treated as one control surface. In practice, many security teams discover token overreach only after one application has already used another application’s trust.
How It Works in Practice
The issuer should evaluate each token request against the requesting workload, the grant type, the intended audience, and the current risk state. That means checking whether the request is machine-to-machine, whether the NHI is authenticated through a workload identity, and whether the requested scope is justified for the specific transaction. If the request is high impact, the issuer can require stronger conditions, shorten token lifetime, or deny issuance entirely. NIST Cybersecurity Framework 2.0 and NIST SP 800-207 both support context-aware access decisions, which is the right model here even when the implementation details vary.
A practical pattern is to combine policy-as-code with ephemeral credentials. Instead of granting a broad standing token, issue a short-lived token only when the current context matches policy. That context can include source workload, environment, device posture, time window, downstream API, and whether the request is part of an approved automation workflow. Where available, workload identity standards such as SPIFFE help anchor the decision in cryptographic proof of what the agent or service is, not just what it claims to be.
- Evaluate risk at issuance time, not only at resource access time.
- Bind scope to the specific app, API, or data plane that needs it.
- Use short TTLs and automatic revocation for JIT credentials.
- Log denied requests so policy gaps become visible.
- Review shared NHI usage across applications to reduce trust leakage.
The JetBrains GitHub plugin token exposure illustrates how development tooling can leak credentials into places that were never meant to hold them, and the State of Secrets Sprawl 2026 shows how widespread exposure becomes when secrets are not constrained at creation. These controls tend to break down when legacy applications require long-lived tokens because the issuer cannot safely enforce short-lived, context-bound issuance without breaking the workflow.
Common Variations and Edge Cases
Tighter runtime authorisation often increases operational overhead, so organisations must balance stronger control against developer friction and service availability. Best practice is evolving, and there is no universal standard for how much context should be required for every token request. The right answer depends on the sensitivity of the target system, the maturity of workload identity, and whether the environment can tolerate token churn without causing outages.
One common edge case is shared service accounts across multiple applications. That pattern makes issuer-side policy harder because the same identity may legitimately need different scopes in different paths, but it also weakens accountability. Another is asynchronous automation, where a token may be requested by one system and consumed later by another. In those cases, current guidance suggests pairing intent-based authorisation with short-lived tokens, then explicitly scoping the token to the expected downstream operation.
Another important exception is highly distributed SaaS integration. If the issuer cannot inspect downstream impact, security teams may need compensating controls such as step-up approval for privileged scopes, tighter vault governance, or per-application token brokers. The Dropbox Sign breach and the Cisco Active Directory credentials breach both underline the same point: if issuance is broad, exposure in one system can become enterprise-wide quickly.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Runtime issuance and short-lived credentials reduce overexposed NHI tokens. |
| NIST CSF 2.0 | PR.AC-4 | Context-aware issuance is an access control decision tied to least privilege. |
| NIST Zero Trust (SP 800-207) | Zero Trust supports continuous, context-based decisions for every credential issuance. |
Treat every token request as untrusted until policy, identity, and context are all satisfied.
