An access catalogue is the set of applications, roles, entitlements, or requestable resources exposed to users through a service desk or portal. It should mirror the real access model closely, or it will mislead requesters and create shadow approval paths.
Expanded Definition
An access catalogue is the curated interface layer that presents requestable applications, roles, entitlements, and other resources to end users, approvers, and service desks. In NHI environments, it often extends beyond human access to include service accounts, API scopes, secret-backed tools, and workload permissions that are provisioned through automation. The catalogue is not the authoritative access model itself; it is the user-facing reflection of that model, and it must stay synchronized with identity governance, entitlement sources, and approval workflows. Guidance varies across vendors on how much catalogue logic should live in ITSM, IGA, or cloud identity platforms, but the core requirement is consistent: users should only see what can actually be granted, with the real control plane preserved in systems of record. For a broader NHI governance context, see the Ultimate Guide to NHIs and the OWASP Non-Human Identity Top 10. The most common misapplication is treating the catalogue as a source of truth, which occurs when request forms drift away from actual entitlements and approvers approve access the platform cannot safely provision.
Examples and Use Cases
Implementing an access catalogue rigorously often introduces governance overhead, requiring organisations to balance requester convenience against control accuracy and approval integrity.
- A service desk portal lists approved API roles for a customer data platform, but the backing entitlements are sourced from an IGA system so that access requests remain auditable and reversible.
- A cloud platform team exposes requestable workload identities for CI/CD jobs, with scope-limited secrets provisioned only after approval and policy checks.
- An access catalogue for developers includes preapproved read-only database access, while privileged write access is hidden behind elevated review paths and time-bound requests.
- An organisation catalogs machine-to-machine permissions for internal agents, using the catalogue to standardize request language while keeping the actual grants controlled by automation.
In practice, the catalogue should mirror current entitlement reality, not aspirational policy, or it creates shadow approval paths that undermine governance. This becomes especially important when access requests map to service accounts or API keys, where requesters may not understand the operational blast radius. For identity lifecycle and control design guidance, the Ultimate Guide to NHIs — Key Challenges and Risks and the OWASP Non-Human Identity Top 10 are useful reference points.
Why It Matters in NHI Security
An inaccurate access catalogue can create a governance gap even when the underlying technical controls are strong. If the catalogue shows obsolete roles, hidden entitlements, or request paths that no longer exist, requesters can be routed into approval chains that bypass least privilege and confuse ownership. That matters in NHI security because access to workloads, integrations, and automated agents often carries broad operational authority. NHI Management Group reports that only 5.7% of organisations have full visibility into their service accounts, which is why catalogue accuracy is not a cosmetic issue but a control issue. The catalogue is often the first place excessive privilege becomes visible to auditors, approvers, and service owners, so stale entries can mask risk until an incident or review forces reconciliation. A good access catalogue also supports faster offboarding, better entitlement review, and cleaner segregation of duties by making request paths explicit. For deeper context on the scale of the problem, review the Ultimate Guide to NHIs. Organisations typically encounter access catalogue defects only after an access review, an incident, or a failed deprovisioning event, at which point the term becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Catalogue drift often exposes unmanaged NHI entitlements and hidden access paths. |
| NIST CSF 2.0 | PR.AA-01 | Access catalogue accuracy supports identity and entitlement governance in access management. |
| NIST Zero Trust (SP 800-207) | AC-4 | Zero trust requires policy-enforced access decisions, not catalogue-only assumptions. |
Keep requestable access aligned to real NHI entitlements and remove stale or shadow entries.
