Identity discovery is the process of finding and cataloguing every identity, entitlement, and access path across the environment. In NHI programmes it is foundational because hidden service accounts, tokens, and machine identities create governance gaps that certification and offboarding cannot close.
Expanded Definition
Identity discovery is the disciplined process of locating every human and non-human identity, then mapping the entitlements, credentials, and access paths each one can use. In NHI programmes, the term is broader than simple account inventory because it must include service accounts, API keys, certificates, workload identities, and agent access. Definitions vary across vendors when they discuss “identity visibility,” but the operational goal is the same: establish a trusted inventory that can support governance, rotation, and revocation. The NIST Cybersecurity Framework 2.0 frames this work as part of asset and access management, while NHIMG research ties it directly to NHI lifecycle control in the Ultimate Guide to NHIs. Discovery is not a one-time scan; it must continuously reconcile cloud, CI/CD, SaaS, and runtime environments as identities appear and disappear.
The most common misapplication is treating identity discovery as a single IAM export, which occurs when teams ignore ephemeral workloads, embedded secrets, and third-party-issued credentials.
Examples and Use Cases
Implementing identity discovery rigorously often introduces inventory noise and remediation overhead, requiring organisations to weigh complete visibility against the cost of normalising inconsistent data sources.
- A cloud team discovers dormant service accounts with production database access, then classifies them for rotation and eventual removal using guidance from the NHI Lifecycle Management Guide.
- A DevOps group scans CI/CD pipelines and finds API keys stored in build variables, code comments, and config files. That pattern aligns with broader secret exposure issues described in the 52 NHI Breaches Analysis.
- An enterprise IAM team maps machine identities to workloads and Kubernetes namespaces, then validates ownership before applying least-privilege policies consistent with NIST Cybersecurity Framework 2.0.
- A SaaS security review identifies third-party integrations that still hold valid tokens long after the business relationship changed, prompting a targeted cleanup.
- An AI platform team inventories agents and tool credentials before enabling production access, because the identity surface expands quickly once an agent can act autonomously.
In practice, discovery should answer three questions: what exists, who or what owns it, and what it can access today.
Why It Matters in NHI Security
Identity discovery is the prerequisite for every serious NHI control because organisations cannot govern what they cannot see. NHIMG research shows that only 5.7% of organisations have full visibility into their service accounts, which explains why privilege creep, orphaned tokens, and unowned credentials persist. The risk is not only hidden access; it is also broken remediation. When discovery is incomplete, offboarding cannot revoke everything, rotation misses embedded secrets, and PAM or RBAC policies are applied to the wrong scope. That is why identity discovery belongs alongside Top 10 NHI Issues as a recurring governance activity, not a project milestone. It also supports Zero Trust and Zero Standing Privilege by proving which identities should exist before access is granted or retained.
Organisations typically encounter identity discovery as an urgent requirement only after a breach, audit finding, or emergency token rotation, at which point the inventory becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Identity discovery underpins complete NHI inventory and ownership mapping. |
| NIST CSF 2.0 | ID.AM-1 | Asset management requires knowing identities and their access-relevant dependencies. |
| NIST Zero Trust (SP 800-207) | SP 5 | Zero Trust depends on continuously identifying subjects, devices, and workloads. |
Build and continuously reconcile an authoritative NHI inventory before granting or renewing access.
