Unapproved purchases often become unmanaged assets, which means they are invisible to normal patching, monitoring, and ownership processes. Once a device or application sits outside approved workflows, security teams lose traceability and compliance teams lose assurance. The risk is not just the purchase itself, but the control gap that follows it.
Why This Matters for Security Teams
Unapproved purchases are a governance problem first, but they quickly become a security control failure. A laptop, SaaS subscription, browser extension, or AI tool acquired outside procurement can bypass asset inventory, identity review, logging standards, and vendor risk checks. That leaves no reliable owner to approve patching, revoke access, or answer audit questions. The result is not just shadow IT. It is an unmanaged entry point with unclear data handling and weak accountability.
For security leaders, the issue is that purchase approval is often the only moment when a device or service can be forced into standard controls. Once it enters use without that gate, teams usually discover it later through expense review, an incident, or a compliance exception. Current guidance in NIST Cybersecurity Framework 2.0 still places strong emphasis on asset visibility and governance, and NHIMG research on Top 10 NHI Issues shows how quickly missing ownership and lifecycle control turn into operational risk. In practice, many security teams encounter the exposure only after the asset has already accessed sensitive systems, rather than through intentional approval.
How It Works in Practice
Unapproved purchases create risk because they break the chain between acquisition and control. Approved procurement usually triggers several protections: supplier review, security review, asset registration, identity assignment, configuration hardening, and ongoing monitoring. When a purchase bypasses that process, the organisation loses the ability to prove who owns it, what data it touches, and whether it meets minimum security requirements.
Common examples include unsanctioned SaaS subscriptions, personal devices used for work, developer tools purchased on a card, or embedded AI services added to workflows without review. These may introduce unvetted integrations, excessive permissions, weak authentication, or hidden data transfers. If the item is connected to human or non-human identities, the control gap expands because secrets, tokens, and access grants can persist beyond the original business need. NHIMG guidance on Lifecycle Processes for Managing NHIs is especially relevant here because unmanaged purchases often become unmanaged identities.
Practical mitigation usually includes:
- Requiring procurement or finance approval for any device, app, subscription, or AI service that touches company data.
- Linking purchase workflows to asset inventory, IAM, and vendor risk review before first use.
- Assigning an accountable owner who can attest to purpose, data access, and retirement date.
- Auto-enforcing patching, logging, and access review for anything that enters the environment.
One useful benchmark from The State of Non-Human Identity Security is that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which illustrates how fast unapproved tools can outrun oversight. These controls tend to break down when spending is decentralized across departments because the asset never enters the authoritative inventory in the first place.
Common Variations and Edge Cases
Tighter purchase control often increases friction, requiring organisations to balance speed for business users against the need for traceability and review. That tradeoff is real, especially in fast-moving teams that rely on cloud services, contractor laptops, or developer self-service. Best practice is evolving toward risk-tiered approval rather than blanket prohibition.
Low-risk items may be approved quickly if they are pre-approved catalog purchases with standard terms, while higher-risk tools need security review, legal approval, and identity controls before use. The main exception is emergency procurement, where time-sensitive purchases may be allowed but must be retroactively registered and reviewed within a defined window. Without that follow-up, temporary exceptions become permanent blind spots.
This is also where compliance and security overlap. Audit teams care about evidence of approval and ownership, while security teams care about exposure, access, and persistence. Current guidance suggests the answer is not just stopping purchases, but ensuring every purchase is traceable to an owner, a lifecycle process, and a retirement path. NHIMG’s Ultimate Guide to NHIs — Regulatory and Audit Perspectives is useful here because the same control gap that frustrates auditors also leaves security teams without a reliable response path.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | ID.AM-1 | Unapproved purchases create asset visibility gaps. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Unmanaged tools often introduce untracked identities and secrets. |
| NIST CSF 2.0 | PR.DS-4 | Unsanctioned tools may move or store data outside approved controls. |
Inventory all non-human identities tied to purchased tools and revoke unknown access.
Related resources from NHI Mgmt Group
- Why do non-human identities create compliance risk even when policies exist?
- How should security teams reduce identity risk in compliance automation programmes?
- Why do unused SaaS apps still create security risk after renewal is cancelled?
- Why do fast-moving AI programmes create new compliance risk?
