Unwanted persistence is durable access that remains available after the original business justification has ended. In directory environments, it often comes from stale accounts, old group membership, and delegated rights that were never fully removed, allowing legitimate-looking access to survive past its intended lifecycle.
Expanded Definition
Unwanted persistence is a lifecycle failure in which access continues after the business need has ended. In NHI and IAM environments, that persistence can appear as stale service accounts, orphaned API keys, inherited group membership, dormant delegated rights, or automation paths that were never removed. It is related to privilege creep, but the focus here is duration: the access remains live past its intended expiration.
Definitions vary across vendors when the term is used in broader security operations, because some teams treat it as a privilege review issue while others treat it as an offboarding and entitlement hygiene problem. NHI Management Group treats it as a governance defect that spans identity, secrets, and authorization layers. That framing aligns with NIST Cybersecurity Framework 2.0, especially the need to maintain access control and continuous monitoring across identity lifecycles.
In practice, unwanted persistence is most dangerous when the account still looks legitimate to logs and control systems. The most common misapplication is assuming an unused account is harmless, which occurs when expiration, ownership, or revocation checks are not tied to the actual business lifecycle.
Examples and Use Cases
Implementing unwanted persistence controls rigorously often introduces operational friction, requiring organisations to weigh clean revocation against the risk of breaking automation, integrations, or emergency access paths.
- A contractor leaves a project, but their directory group membership still grants access to source code and CI/CD secrets weeks later.
- An API key created for a migration task remains valid after cutover because no one tracked the deletion step in the change record.
- A service account used for a legacy application still has delegated rights in a cloud tenant after the workload has been decommissioned.
- An operator account used for break-glass support is never revalidated, so it persists long after the original support case is closed.
- A persistence chain remains hidden until a breach review mirrors patterns seen in the Salt Typhoon US telecoms breach, where durable access and stolen credentials became part of the intrusion path.
For lifecycle-oriented teams, the practical goal is not only removal but proof of removal. That usually means pairing entitlement reviews with ownership assignment, revocation evidence, and expiry workflows consistent with NIST Cybersecurity Framework 2.0.
Why It Matters in NHI Security
Unwanted persistence turns temporary access into latent risk. In NHI environments, that risk compounds quickly because machine identities are numerous, difficult to inventory, and often embedded in code, pipelines, vaults, and third-party integrations. NHI Mgmt Group reports that only 20% of organisations have formal processes for offboarding and revoking API keys, while 91.6% of secrets remain valid five days after notification, showing how slowly remediation can lag when persistence is not actively governed.
That delay matters because attackers do not need to create new access when old access still works. Persistent service accounts can be reused for lateral movement, dormant keys can be harvested from repositories, and forgotten delegated rights can bypass newer controls. This is why unwanted persistence is closely tied to zero trust and lifecycle assurance, not just cleanup. The same access that seemed harmless during steady state can become the easiest path during incident response or post-compromise containment.
Organisations typically encounter the operational impact only after a breach, failed audit, or failed offboarding event, at which point unwanted persistence becomes unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers lifecycle hygiene and revocation gaps that let NHI access persist too long. |
| NIST CSF 2.0 | PR.AA-01 | Addresses identity lifecycle and access authorization as continuous control functions. |
| NIST Zero Trust (SP 800-207) | SC-2 | Zero Trust requires access to be explicitly authorized and continuously validated. |
Continuously review and revoke stale access so machine identities do not outlive their business need.
