What breaks is the lifecycle. Users forget passphrases, lose keys during device changes, and leave old credentials behind when their role changes. That creates support overhead, weakens revocation, and makes audit trails unreliable. The control is technically strong but operationally fragile, which is why it fails in enterprise governance.
Why This Matters for Security Teams
When users manage their own encryption key, the control shifts from centralized governance to individual memory, device continuity, and informal recovery habits. That sounds flexible, but it breaks the operational assumptions that enterprise security depends on: revocation, key escrow, auditability, and role-based offboarding. NHI Management Group’s Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs shows why lifecycle discipline is the real control surface, not just the cryptography itself. NIST’s NIST Cybersecurity Framework 2.0 also emphasizes recovery, governance, and asset visibility as core security outcomes, which self-managed keys often undermine in practice. The issue is not that user-held keys are weak by design. The issue is that the surrounding process is usually too inconsistent for enterprise-grade assurance. In practice, many security teams encounter key loss, stale access, and failed revocation only after an employee departs, a device is replaced, or an incident forces emergency access review.
How It Works in Practice
Self-managed encryption keys usually fail in the same places that enterprise operations are most sensitive: handoff, recovery, and retirement. If a user generates and holds the key locally, the organisation may not know where it lives, how it is backed up, or whether it can be revoked quickly. That creates a mismatch between cryptographic strength and governance weakness. The stronger the encryption, the less useful it becomes if no one can reliably recover, rotate, or retire it when business conditions change.
Practitioners typically see four control gaps:
-
Recovery gap: lost passphrases or device loss can make protected data unrecoverable.
-
Revocation gap: old keys may remain valid after role changes or offboarding.
-
Visibility gap: security teams cannot inventory who holds what key or where it is used.
-
Audit gap: proving who accessed data, and under which key, becomes difficult.
This is why lifecycle controls matter as much as key strength. The NHIMG NHI Lifecycle Management Guide and the Top 10 NHI Issues both frame unmanaged credentials as an operational risk, not just a technical inconvenience. In enterprise environments, the better pattern is centrally governed key management with clear ownership, rotation, backup, and offboarding workflows, even when end users initiate protected actions. Current guidance suggests that cryptographic controls should be paired with policy enforcement, not delegated entirely to individuals. These controls tend to break down when the organisation supports many endpoints, frequent device turnover, or hybrid work patterns because key recovery and revocation become inconsistent across platforms.
Common Variations and Edge Cases
Tighter key control often increases support overhead and user friction, requiring organisations to balance usability against assurance. That tradeoff is real, and there is no universal standard for how much self-service should be allowed. Some teams permit user-managed keys for local file protection, personal vaults, or lower-risk workflows, while reserving centrally managed keys for regulated data, shared systems, and recovery-critical services. Best practice is evolving, but the direction is consistent: the more business-critical the data, the less suitable fully user-owned key custody becomes.
A few edge cases matter:
-
Personal devices: self-managed keys may be acceptable for low-risk use, but offboarding and forensic visibility are weaker.
-
Shared data workflows: user-held keys complicate collaboration because access depends on individual custody, not policy.
-
Regulated environments: auditability and recoverability usually require central controls, documented retention, and rotation evidence.
NHI Management Group’s Ultimate Guide to NHIs — Regulatory and Audit Perspectives is useful here because it shows how weak lifecycle governance becomes a compliance problem, not just an access problem. A practical compromise is to let users initiate encryption actions while the enterprise retains control over key issuance, escrow, revocation, and recovery policy. That approach preserves usability without turning key custody into an unmanaged exception.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | User-held keys create unmanaged credential lifecycle risk. |
| NIST CSF 2.0 | PR.AA-01 | Identity and access governance depend on recoverable, auditable key management. |
| NIST AI RMF | Governance and accountability are required when users control sensitive cryptographic material. |
Apply AI RMF governance principles to define ownership, oversight, and exception handling for key custody.
Related resources from NHI Mgmt Group
- What breaks when audit logs and SSO arrive after users have already adopted a tool?
- How can organizations manage the risk of credential leaks in MCP frameworks?
- How should security teams govern API keys used for generative AI access?
- What problem does ownership attribution solve for service accounts and API keys?
