A machine can be authentic and still have excessive permissions. If teams stop at certificate validation, they may believe the identity is secure while the workload can still reach sensitive data or production services. Authentication proves identity. Authorisation determines blast radius, and those are separate governance problems.
Why This Matters for Security Teams
Certificate trust answers one question only: can this workload prove it is the workload it claims to be? Access control answers a different one: what is that workload allowed to do right now? When those are collapsed into a single decision, organisations lose the ability to separate identity proof from privilege scope. That is how a valid service account, API client, or certificate can still reach production data, admin APIs, or partner systems.
The operational risk is not theoretical. NHIMG research shows Ultimate Guide to NHIs reports that 97% of NHIs carry excessive privileges, which means authentication alone often leaves the blast radius intact. For teams trying to align with OWASP Non-Human Identity Top 10, the lesson is simple: a trusted certificate is not a substitute for least privilege, and it does not satisfy separation of duties, approval, or revocation requirements on its own.
In practice, many security teams encounter privilege abuse only after a valid workload has already moved laterally or accessed data it never needed in the first place.
How It Works in Practice
The correct model treats certificate validation as an authentication checkpoint and then applies a separate authorisation layer based on workload identity, request context, and policy. A certificate can establish that a workload is genuine, but it should not implicitly grant broad access just because the TLS handshake succeeded. Instead, the workload should present a narrow identity, then receive only the permissions needed for the current transaction.
This is where controls like Ultimate Guide to NHIs — What are Non-Human Identities become practical: they separate the lifecycle of the identity from the lifecycle of its permissions. In mature environments, this often means short-lived credentials, policy-as-code, and explicit approval paths for sensitive actions. For example, a CI/CD runner may authenticate with a certificate, but still need JIT entitlement before it can deploy to production. That same pattern supports ZSP and ZTA because standing access is removed and every request is evaluated in context.
- Use the certificate to prove workload identity, not to infer privilege.
- Bind access to the specific service, action, and environment at request time.
- Issue ephemeral secrets or tokens only for the task in progress.
- Revoke access when the job, session, or deployment completes.
Best practice is evolving toward intent-aware authorisation, but there is no universal standard for this yet. Current guidance from Ultimate Guide to NHIs — Key Challenges and Risks and PCI DSS v4.0 reinforces the same operational point: authentication evidence must be paired with least-privilege access control, logging, and timely revocation. These controls tend to break down when legacy service accounts share certificates across environments because the certificate then becomes a blanket credential instead of a bounded proof of identity.
Common Variations and Edge Cases
Tighter certificate-to-access binding often increases operational overhead, requiring organisations to balance security gain against deployment speed and system complexity. That tradeoff becomes especially visible in legacy systems, where certificate-based mutual TLS is already entrenched and application teams resist adding an additional authorisation layer.
Current guidance suggests three recurring edge cases. First, long-lived machine credentials often survive beyond the workload that originally requested them, which is why 52 NHI Breaches Analysis remains relevant to post-incident review: the identity may be legitimate even while the permissions are stale. Second, third-party or partner integrations can inherit certificate trust without proper RBAC or intent-based checks, creating hidden exposure paths. Third, certificate automation can mask governance failure if rotation is healthy but privilege review is absent.
Sisense breach is a useful reminder that machine identity incidents rarely stay confined to the original secret or certificate. Once access is over-broad, attackers can chain tools, pivot to adjacent systems, and abuse trust relationships faster than manual reviews can react. The practical rule is to treat certificate trust, workload identity, JIT access, and revocation as separate controls that must all pass. When environments mix static certificates with shared admin roles, this guidance breaks down because the identity becomes durable while the permissions remain effectively permanent.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Focuses on rotation and lifecycle separation for machine identities. |
| NIST Zero Trust (SP 800-207) | AC-4 | Zero Trust requires policy-based, per-request access decisions. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access control is the missing layer after authentication. |
Decouple identity proof from access grants and rotate machine credentials on a strict schedule.
Related resources from NHI Mgmt Group
- What breaks when simulator access and agent access are treated as the same thing?
- What breaks when single logout is treated as the same thing as offboarding?
- What breaks when certificate discovery is only done once in a while?
- What breaks when organisations keep passwords as the default identity control?
