The discipline that creates, updates, and retires identity records so the organisation knows who or what each subject is. In practice, it governs attributes such as role, department, manager, and lifecycle state, which later drive access decisions and audit evidence.
Expanded Definition
Identity management is the operational discipline that creates, updates, suspends, and retires identity records so systems can distinguish one subject from another with confidence. In NHI security, that subject may be a person, a service account, an API client, a workload, or an AI agent with execution authority and tool access. The work includes attributes, lifecycle state, ownership, and approval context, all of which later influence access decisions, logging, and audit evidence.
For non-human identities, the meaning is narrower and more failure-prone than conventional IAM because credentials are often embedded in pipelines, scripts, and automation flows. NHI Management Group notes that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, which is why lifecycle discipline matters more than simple inventory. The operational goal is not just to register an identity, but to ensure it is known, controlled, reviewable, and retired when no longer needed. Guidance across vendors still varies on whether identity management includes ownership, entitlement governance, and secret handling, so organisations should treat those functions as tightly coupled rather than separate silos. The most common misapplication is treating identity management as a one-time provisioning task, which occurs when teams create records but fail to maintain state changes, ownership, and offboarding. NIST Cybersecurity Framework 2.0
Examples and Use Cases
Implementing identity management rigorously often introduces lifecycle overhead, requiring organisations to weigh stronger governance against slower automation and more approval points.
- A CI/CD platform creates ephemeral service identities for deployments, then retires them automatically after the pipeline completes, reducing standing exposure and orphaned access.
- A central identity record stores the owner, department, and system purpose for each API key, enabling review workflows when a team changes or a system is decommissioned.
- Offboarding automation disables a workload identity when a cloud application is retired, preventing dormant credentials from persisting in code or configuration stores. The NHI Lifecycle Management Guide frames this as a lifecycle control, not an admin cleanup task.
- An AI agent receives a bounded identity profile before it is allowed to call internal tools, aligning execution authority with intended scope. This lines up with identity-first design in the NIST Cybersecurity Framework 2.0.
- A security team reconciles identity records against actual cloud and SaaS usage to find duplicate service accounts, stale owners, and systems that no longer have an accountable steward. NHIMG’s Ultimate Guide to NHIs describes this as part of lifecycle control, and it is especially important when secrets are distributed across pipelines and config files.
Why It Matters in NHI Security
Identity management becomes a security control, not just an administrative function, because every unmanaged identity can turn into an access path, an audit gap, or a recovery problem. NHI Management Group reports that only 5.7% of organisations have full visibility into their service accounts, which means most teams cannot reliably answer who owns a given workload identity or whether it should still exist. That lack of visibility amplifies secrets sprawl, excessive privilege, and delayed revocation, all of which show up in real incidents before they show up on a policy spreadsheet. When identity records are accurate, reviewable, and lifecycle-bound, organisations can enforce least privilege, support Zero Trust, and prove accountability during audits. When they are stale, duplicated, or detached from ownership, remediation becomes reactive and expensive. For governance teams, identity management also creates the evidence layer needed to explain why a secret, token, or certificate exists at all. The broader risk picture is reflected in NHIMG’s Ultimate Guide to NHIs and its Top 10 NHI Issues analysis, both of which emphasise lifecycle failure as a common root cause. Organisations typically encounter identity management as an urgent problem only after a compromise, audit finding, or failed decommission, at which point the term becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Identity proofing and lifecycle state underpin controlled access decisions. |
| NIST Zero Trust (SP 800-207) | Zero Trust relies on continuous identity context and least-privilege enforcement. | |
| OWASP Non-Human Identity Top 10 | NHI-01 | NHI identity sprawl and orphaned accounts are core NHI lifecycle risks. |
Maintain current identity attributes and revoke stale NHIs to preserve continuous trust evaluation.
