Approval routing is the set of rules that determine who must review an access request and what happens if they do not respond. In identity governance, routing is part of the control design because it shapes both decision quality and the speed at which access can move.
Expanded Definition
Approval routing is the decision path that determines which reviewers must evaluate an access request, in what order, and what default action applies when a reviewer is unavailable. In NHI governance, it is not just workflow plumbing; it is a policy control that shapes who can authorize service account access, token issuance, secret retrieval, or privilege escalation. The design must distinguish between simple notification flows and true approval authority, because a routed request may still be blocked, auto-approved, or escalated depending on policy. Industry usage is still evolving for AI-driven workflows and delegated approvals, so organisations should define whether routing is based on identity, role, system risk, environment, or application sensitivity. For a broader NHI context, the Ultimate Guide to NHIs shows why access paths must be controlled alongside lifecycle and secret governance. The NIST Cybersecurity Framework 2.0 reinforces that approvals are part of access governance, not a clerical afterthought. The most common misapplication is treating approval routing as a generic workflow rule, which occurs when organisations fail to tie reviewers and fallback actions to the actual risk of the requested NHI permission.
Examples and Use Cases
Implementing approval routing rigorously often introduces latency and administrative overhead, requiring organisations to weigh tighter governance against faster delivery of access needed for operations.
- A service account request for production database read access routes first to the application owner, then to the data steward if the entitlement crosses a sensitivity threshold.
- An API key rotation request auto-escalates to a security approver when the key is tied to internet-facing infrastructure or a third-party integration.
- A privileged bot request is routed to a manager plus a platform owner, with no auto-approval allowed if either reviewer is unavailable.
- An emergency JIT request for a CI/CD pipeline token routes to on-call approvers and expires if the approval window closes without action.
- Routing logic is validated against NHI governance patterns described in the Ultimate Guide to NHIs, while the NIST Cybersecurity Framework 2.0 helps anchor the control in access and authorization outcomes.
Why It Matters in NHI Security
Approval routing becomes security-critical because it decides whether privileged machine access is granted with meaningful review or through procedural shortcuts. Weak routing can create silent over-permissioning, especially when requests are auto-approved after a timeout, routed to the wrong owner, or bypassed through inherited group logic. That matters in NHI environments where credentials are frequently shared across services and where delayed revocation can leave access active long after it should have been removed. NHI Mgmt Group reports that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, and that only 20% of organisations have formal offboarding and revocation processes, which makes approval design part of the breach-prevention chain rather than a paperwork exercise. It also affects Zero Trust execution because access should be verified continuously, not granted by stale assumptions. The same governance concerns appear in the Ultimate Guide to NHIs and are consistent with the access governance emphasis in the NIST Cybersecurity Framework 2.0. Organisations typically encounter approval routing failures only after an overbroad request is approved, at which point the routing logic becomes operationally unavoidable to correct.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-04 | Approval routing governs how NHI access requests are reviewed and authorized. |
| NIST CSF 2.0 | PR.AA | Identity and access authorization controls cover approval decisions and access granting. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires explicit, context-aware authorization for each access decision. |
Use routing to enforce explicit approval before NHI privilege is issued or expanded.
