Issuance-time policy is the practice of evaluating who is asking, what they may request, and which scopes are allowed before a token is minted. For agents, this is the control point that prevents excess privilege from ever becoming an active credential.
Expanded Definition
Issuance-time policy is the control logic applied before a token, certificate, or delegated grant is minted. It determines whether the requester is eligible, what context is acceptable, and which scopes or claims are permitted at the moment of issuance. In NHI security, this matters because a bad decision made at mint time becomes a live credential with immediate reach. The concept overlaps with authorization, but it is narrower and more preventive: instead of checking every future action, it constrains what is allowed to exist in the first place.
Definitions vary across vendors, especially where issuance-time policy is implemented through OAuth servers, identity brokers, workload identity systems, or agent orchestration layers. NHI Management Group treats it as part of the identity assurance and privilege boundary, consistent with the preventive objectives reflected in the NIST Cybersecurity Framework 2.0. The most common misapplication is treating issuance-time policy as a one-time login check, which occurs when teams fail to enforce scope, audience, and context validation at the exact moment a credential is created.
Examples and Use Cases
Implementing issuance-time policy rigorously often introduces extra policy evaluation and developer friction, requiring organisations to weigh tighter privilege containment against slightly more complex token flows.
- An agent requests an access token for a data tool, but the issuer limits it to read-only scopes because the task does not justify write access.
- A CI/CD workload attempts to mint a credential outside approved build context, and the issuance policy blocks it until the job identity and environment checks pass.
- A federated workload presents a valid authentication event, but the issuer rejects broad audience claims and issues a narrowly scoped token instead.
- During lifecycle governance, teams use Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs to align issuance rules with rotation, expiry, and offboarding controls.
- For audit preparation, security teams map issuance decisions to the control expectations discussed in Ultimate Guide to NHIs — Regulatory and Audit Perspectives and compare them with the token issuance patterns recommended by NIST.
Common practice also includes conditional issuance based on workload identity, request purpose, device trust, or runtime posture, rather than issuing a broadly reusable secret.
Why It Matters in NHI Security
Issuance-time policy is one of the few places where excessive privilege can be stopped before it becomes operational debt. When it is weak, service accounts and agents tend to receive tokens that are broader, longer lived, and more reusable than their actual task requires. That creates faster lateral movement, harder revocation, and more complicated incident response after a compromise. NHIMG research shows the scale of the issue: Ultimate Guide to NHIs reports that 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Practitioners usually feel the importance of issuance-time policy only after a token has been abused, a secret has leaked, or an agent has acted outside its intended scope, at which point mint-time controls become operationally unavoidable to address. The same lesson appears in NHIMG’s Top 10 NHI Issues, where weak governance at credential creation repeatedly shows up as a root cause rather than a side effect.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Issuance-time policy limits over-privileged NHI tokens at mint time. |
| NIST CSF 2.0 | PR.AC-4 | Access rights should be constrained by policy at credential issuance. |
| NIST Zero Trust (SP 800-207) | JIT access | Zero Trust emphasizes dynamic, context-based, just-in-time privilege decisions. |
Issue short-lived, narrowly scoped access only when conditions are satisfied.
Related resources from NHI Mgmt Group
- What is the difference between build-time scanning and deployment-time policy checks?
- What breaks when NHI provisioning happens without ownership and policy at creation time?
- Why do real-time policy decisions still fail in identity governance programmes?
- What breaks when PCI DSS access control is treated as a one-time policy exercise?
