Because they measure a point in time, while NHI risk changes across the lifecycle. Service accounts can be repurposed, abandoned, or over-privileged between campaigns, so the review may be accurate when performed but obsolete soon after. Event-driven governance is more effective than calendar-only certification.
Why This Matters for Security Teams
Campaign-based reviews are useful for governance reporting, but they are a weak fit for NHI security because the asset being reviewed is not static. Service accounts, API keys, certificates, and machine tokens can be copied into code, inherited by new workloads, or left active long after the original use case ends. That creates a gap between what a reviewer sees and what is actually exploitable in production. NHI Mgmt Group research shows that 71% of NHIs are not rotated within recommended time frames, which helps explain why point-in-time certification often lags operational reality, as covered in the Ultimate Guide to NHIs.
This is where calendar-only controls also diverge from modern security expectations. Guidance in NIST Cybersecurity Framework 2.0 emphasizes continuous risk management, which fits identities that change status, privilege, and ownership over time. For practitioners, the issue is not whether the review was performed correctly, but whether the risk posture changed the next day. In practice, many security teams discover NHI exposure only after a credential has already been reused, repurposed, or quietly expanded into a higher-risk pathway.
How It Works in Practice
Effective NHI governance treats review as one input, not the control itself. The operational model starts with inventory, then moves to ownership, scope, rotation, and revocation tied to lifecycle events such as deployment, decommissioning, role change, or unusual usage. That is why NHI-specific guidance in the Top 10 NHI Issues and Ultimate Guide to NHIs — Key Challenges and Risks places such a strong emphasis on visibility, rotation, and offboarding.
In practice, the workflow should look like this:
- Bind each NHI to a named owner and a business purpose so reviewers can validate context, not just existence.
- Use just-in-time credential issuance where possible, so access is short-lived and task-bound instead of persistent.
- Rotate secrets automatically after deployment changes, failed jobs, privilege escalation, or inactivity thresholds.
- Revoke credentials when the workload is retired, not at the next quarterly or annual campaign.
- Monitor for drift between approved entitlements and actual usage, especially for service accounts with broad access.
This approach aligns with the continuous governance direction in NIST Cybersecurity Framework 2.0, but the implementation details depend on environment maturity. Current guidance suggests pairing PAM, RBAC, and lifecycle automation with event-driven alerts so over-privileged accounts do not survive between review windows. These controls tend to break down in fast-moving CI/CD environments because credentials are often embedded in pipelines, copied across environments, and updated faster than manual certification cycles can track.
Common Variations and Edge Cases
Tighter NHI control often increases operational overhead, requiring organisations to balance revocation speed against deployment stability. That tradeoff is especially visible in legacy systems, shared platform accounts, and third-party integrations where automation is incomplete. In those environments, a strict review can reveal the right problem, but still fail to produce a clean remediation path.
Best practice is evolving for ephemeral workloads and AI-driven systems. In agentic and autonomous environments, static campaign reviews are even less reliable because the workload may change tool usage, task scope, or access path in real time. Current guidance suggests pairing NHI governance with agent-centric controls, including runtime authorisation, short-lived secrets, and workload identity. For that reason, the OWASP NHI Top 10 should be read alongside the 52 NHI Breaches Analysis when assessing where campaign cadence alone is too slow to matter.
There is no universal standard for cadence-based certification that fits every NHI estate. Highly regulated environments may still need formal attestations, but those should be supplemented by event-driven controls, not treated as a substitute. In practice, the hardest failures appear when a workload is repurposed without a corresponding identity update, because the review trail still looks valid while the real access path has already drifted.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Rotation and revocation failures are the core risk behind stale campaign reviews. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access must be maintained continuously, not only during certification. |
| NIST AI RMF | Autonomous or adaptive workloads need ongoing governance beyond periodic review cycles. |
Use AI RMF governance to assign accountability and monitor changing workload behaviour over time.
