Shaping is the phase where the problem, options, and constraints are explored before the team commits to a solution. Implementation is the phase where the chosen direction is built and operationalised. The difference matters because governance is strongest when the team tests assumptions before work becomes expensive to reverse.
Why This Matters for Security Teams
Delivery governance fails when teams confuse decision framing with delivery execution. Shaping is where the team tests whether a problem is worth solving, what outcomes matter, and which constraints should shape the work. Implementation is where those decisions become code, configuration, process, and operating controls. That distinction is central to avoiding premature commitment, which is why it maps well to broader governance models such as the NIST Cybersecurity Framework 2.0.
For NHI programs, the same discipline shows up in lifecycle management. NHIMG’s Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs treats identity creation, governance, and retirement as distinct phases for a reason: if you skip shaping, implementation tends to hard-code bad assumptions into long-lived secrets, access paths, and service dependencies. That is where delivery governance becomes expensive, slow, and difficult to reverse.
One practical warning sign is when teams start implementation before they can clearly answer who the change affects, what risk it reduces, and what success looks like. In practice, many security teams encounter scope confusion only after delivery has already created operational debt, rather than through intentional shaping.
How It Works in Practice
Shaping is the governance layer that should happen before the team commits budget, architecture, or delivery dates. It is used to define the problem statement, surface competing options, identify constraints, and decide whether the work belongs in a product backlog, a security program, or an operational improvement stream. Implementation begins only after that decision is made, and it should translate the chosen direction into controls that can be built, tested, and monitored.
A useful way to separate the two is to ask different questions at each stage. Shaping asks: what is the risk, what are the alternatives, what is the smallest defensible change, and what trade-offs are acceptable? Implementation asks: how will this be built, integrated, verified, and sustained? For identity-heavy environments, that often means distinguishing policy design from control deployment, then turning the design into workable governance over secrets, access paths, and review cycles. NHIMG’s Top 10 NHI Issues is useful here because it shows how often failures begin with unclear ownership, poor lifecycle control, or over-permissioned access.
- Use shaping to define the decision, not the solution.
- Use implementation to deliver the approved solution with measurable controls.
- Keep architecture, security, and operations in the shaping conversation early.
- Move to implementation only when scope, ownership, and acceptance criteria are explicit.
This is where current guidance suggests governance is strongest: decisions are made before work becomes expensive to change, and delivery teams can still challenge assumptions without disrupting production paths. These controls tend to break down when organisations treat shaping as a paperwork step and begin implementation with unresolved scope, because the team then embeds ambiguity into the system itself.
Common Variations and Edge Cases
Tighter governance at the shaping stage often increases coordination cost, so organisations have to balance speed against reversibility. That trade-off is especially visible when delivery teams want to move quickly on low-risk changes but governance reviewers need enough context to judge whether the work is truly low-risk.
There is no universal standard for this yet, but best practice is evolving toward lighter shaping for routine changes and deeper shaping for work that affects critical services, identity controls, or regulated workloads. In mature environments, shaping may be a short pre-decision review, while implementation uses stricter checkpoints for build, test, release, and audit evidence. The Ultimate Guide to NHIs — Regulatory and Audit Perspectives is relevant here because implementation evidence matters more when auditors need proof of control design and operating effectiveness.
Edge cases appear when the work is exploratory, emergency-driven, or already constrained by an external dependency. In those situations, shaping may be compressed, but it should not be skipped. If the question cannot be answered clearly at shaping time, implementation usually becomes a proxy for decision-making, which is a sign that governance has moved too late in the delivery cycle.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OC-01 | Shaping clarifies business context before implementation decisions. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Implementation often hard-codes NHI ownership and lifecycle mistakes. |
| NIST AI RMF | Shaping aligns with AI governance decisions made before implementation. |
Use AIRMF governance practices to evaluate risk, context, and approval gates before execution.
Related resources from NHI Mgmt Group
- What is the difference between attack surface management and NHI governance?
- What is the difference between role-based access and API key governance for NHI security?
- What is the difference between human IAM controls and NHI governance?
- What is the difference between endpoint management and access governance?
