Discovery should come first whenever the team cannot confidently map all applications, identities, and entitlements in scope. If the review population is incomplete, certification becomes a documentation exercise instead of a control. Prioritise discovery before the next major audit, offboarding cleanup, or recertification cycle.
Why This Matters for Security Teams
Discovery belongs ahead of access reviews when the review population is uncertain, because certification only works if the underlying asset, identity, and entitlement inventory is already trustworthy. If teams cannot see all service accounts, API keys, and machine identities, a review can approve stale access with complete confidence. NHI Management Group notes that only 5.7% of organisations have full visibility into their service accounts, which is why discovery is often the real control gap. See also the Ultimate Guide to NHIs — Key Challenges and Risks and the OWASP Non-Human Identity Top 10 for the recurring failure patterns that turn incomplete inventories into audit theatre. In practice, many security teams encounter overprovisioned access only after an incident, not through a clean recertification cycle.
How It Works in Practice
Effective sequencing starts with discovery across clouds, CI/CD, configuration stores, secret managers, IAM systems, and application code repositories. The point is not to count objects once, but to establish a defensible baseline that can be refreshed as environments change. That baseline should answer three questions: what identities exist, where they authenticate, and which entitlements they can actually exercise. Only then does access review become meaningful.
For NHI-heavy environments, discovery often exposes hidden control paths such as dormant service accounts, orphaned tokens, embedded keys, and third-party integrations that never appear in human IAM reports. The NHI Lifecycle Management Guide is useful here because discovery should feed lifecycle controls, not sit beside them as a one-time inventory exercise. From a governance perspective, the same principle appears in the OWASP Non-Human Identity Top 10: unknown or untracked machine identities create privilege creep, orphaning, and weak offboarding.
- Prioritise discovery before audits, major migrations, and recertification if the scope is incomplete or disputed.
- Use discovery outputs to build a reviewed population, then validate owners, purpose, and last-use signals.
- Re-run discovery after mergers, application decommissions, secret-sprawl events, and pipeline changes.
- Treat access review exceptions as discovery signals when an identity cannot be confidently attributed.
Discovery is strongest when it is continuous and cross-domain, but these controls tend to break down in highly decentralised environments because shadow IT, unmanaged CI/CD pipelines, and external vendor integrations can escape the scanners.
Common Variations and Edge Cases
Tighter discovery often increases operational overhead, requiring organisations to balance control accuracy against engineering friction. That tradeoff is real, especially when teams want to avoid delaying remediation work while they build a complete inventory.
Current guidance suggests prioritising discovery first when any of the following apply: the application map is incomplete, ownership is unclear, secrets are scattered across code and config, or the organisation is preparing for a high-stakes review such as offboarding cleanup or a regulatory audit. Where the inventory is already trustworthy, access reviews can proceed in parallel with smaller discovery checks.
There is no universal standard for this yet, but best practice is evolving toward discovery-driven governance rather than review-driven governance. That matters because access reviews assume the population is stable, while modern NHI estates are dynamic and often change faster than quarterly certifications. For teams comparing control maturity, the Top 10 NHI Issues is a practical reminder that visibility and lifecycle gaps usually surface before entitlement issues do. In edge cases, discovery should also precede access review when the review would otherwise validate inherited access from a merger, a platform migration, or a failed offboarding process.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Discovery first is central to finding unknown NHIs and entitlements. |
| NIST CSF 2.0 | ID.AM-1 | Asset management requires a complete inventory before access reviews are trustworthy. |
| CSA MAESTRO | GOV-02 | Agentic and workload governance depends on visibility into identities and ownership. |
Establish and maintain an accurate inventory, then use it as the review population.
