They accumulate access over time through guest accounts, dormant bots, inherited roles and app permissions. A workspace can look orderly while still containing hidden privilege, because the visible interface does not reveal who can administer integrations, escalate access or retain token-based reach. That gap is why collaboration platforms need the same governance rigor as cloud and SaaS identities.
Why This Matters for Security Teams
Collaboration platforms are not just chat and document systems. They are identity surfaces with guest users, bot accounts, app integrations, file shares, webhook tokens, and delegated permissions that can outlive the original business need. A tidy workspace can still hide durable access paths that bypass ordinary review, which is why guidance from the NIST Cybersecurity Framework 2.0 maps cleanly to these environments: identify what exists, govern who can act, and detect changes continuously.
NHI Management Group has repeatedly shown that visibility gaps, excessive privilege, and weak offboarding are the real failure modes, not the user interface itself. The Ultimate Guide to NHIs notes that only 5.7% of organisations have full visibility into their service accounts, while 97% of NHIs carry excessive privileges. In collaboration tooling, those same patterns show up as dormant bots, inherited app scopes, and forgotten guest access. In practice, many security teams encounter abuse only after a token is reused or an integration is compromised, rather than through intentional lifecycle control.
How It Works in Practice
The main issue is that collaboration platforms mix human and non-human access in the same workspace. A user may appear inactive while an app still retains API scopes, a channel bot can keep reading messages after the owner leaves, and a guest account may inherit access through group membership or shared content links. That means the visible member list is not the full identity inventory.
Operationally, teams need to treat every workspace like a governed identity plane. The practical steps are straightforward:
- Inventory users, guests, bots, apps, service hooks, and tokens separately.
- Review who can install, approve, or reauthorize integrations, not just who can post or read.
- Apply least privilege to scopes, channel access, and file permissions.
- Use time-bound access for contractors, vendors, and temporary automations.
- Continuously check for dormant identities, stale tokens, and orphaned apps.
This is where collaboration-specific risk becomes visible in the data. NHI Management Group’s Key Challenges and Risks section shows how excessive privilege and poor offboarding create lasting exposure, while the State of Secrets Sprawl 2025 reports that 38% of secrets incidents in collaboration and project management tools like Slack, Jira, and Confluence are classified as highly critical or urgent. That aligns with the broader control model in NIST CSF 2.0: continuous governance matters because the workspace state changes faster than manual review cycles.
These controls tend to break down when integrations are self-service, token issuance is decentralized, and workspace admins can add apps without security review.
Common Variations and Edge Cases
Tighter controls often increase administrative overhead, so organisations have to balance fast collaboration against tighter approval, rotation, and review processes. That tradeoff is especially visible in startups, distributed teams, and partner-heavy environments where guest access is business-critical.
Best practice is evolving, but the current guidance suggests treating some collaboration identities as NHI even when they are not traditional service accounts. A Slack bot, Jira automation, or document-signing integration may look harmless, yet each can become a durable privilege carrier if its token is long-lived or broadly scoped. The 52 NHI Breaches Analysis and the Top 10 NHI Issues both reinforce the same pattern: hidden access usually persists because ownership is unclear, not because the platform is inherently insecure.
Edge cases include shared service inboxes, legal hold archives, cross-tenant guests, and AI assistants embedded in collaboration tools. Each can create legitimate exceptions, but exception handling must be explicit, time-bound, and reviewable. There is no universal standard for this yet, so the safest approach is to document scope, owner, expiry, and revocation path for every non-human or semi-automated identity.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Collab platforms hide bot and token identities that need explicit inventory and ownership. |
| NIST CSF 2.0 | PR.AA-01 | Identity governance in collaboration tools depends on knowing and managing each access path. |
| CSA MAESTRO | Collaboration apps increasingly host agentic automations that need lifecycle control. |
Classify automations as governed workloads and enforce approval, scoping, and revocation.
Related resources from NHI Mgmt Group
- Why do non-human identities create compliance risk even when policies exist?
- Why do collaboration tools create such a large secrets risk?
- Why do collaboration automations create identity risk even when they save time?
- Why do silent data changes create governance risk for identity and security programmes?
