The mismatch between the real agent estate and the registry or inventory used for governance. In multi-cloud AI environments, drift appears when new agents are created or changed outside the control plane, leaving policy decisions based on partial or outdated information.
Expanded Definition
Registry drift is the gap between the live non-human identity estate and the registry that governance teams rely on to make access, risk, and ownership decisions. In NHI operations, the registry should function as the source of truth, but definitions vary across vendors on whether it includes only service accounts and API keys or also workload identities, agent identities, and ephemeral credentials. That ambiguity matters because drift is not just missing records. It also includes stale metadata, delayed deprovisioning, ownership changes, duplicated entries, and newly created agents that bypass the control plane. A useful reference point is the NIST Cybersecurity Framework 2.0, which stresses asset visibility and continuous risk management even though it does not use the term registry drift explicitly.
For NHI governance, the registry must stay aligned with provisioning, rotation, revocation, and policy enforcement so that decisions are made against current reality rather than yesterday’s inventory. The most common misapplication is treating a one-time discovery export as a live registry, which occurs when inventory updates do not keep pace with autonomous agent creation, cloud-native scaling, or manual exceptions.
Examples and Use Cases
Implementing registry discipline rigorously often introduces operational overhead, requiring organisations to weigh stronger governance and faster incident response against the cost of continuous discovery and reconciliation.
- A finance team creates a new API-driven reconciliation agent in a cloud account, but the agent is never added to the central registry, so reviews miss its secrets exposure until an audit.
- An autonomous workflow is cloned across environments, and the old instance remains listed as active even after decommissioning, leaving ownership and rotation decisions pointed at a dead identity.
- A security team discovers that the registry still shows a service account as belonging to one application while the workload was migrated months earlier, causing policy exceptions to be applied to the wrong team.
- The pattern seen in the Salesloft OAuth token breach illustrates how untracked changes can turn an identity governance gap into real data exposure.
- Security engineers cross-check registry entries against cloud logs, CI/CD events, and directory data to find identities that exist in production but not in governance records, a process aligned with NIST Cybersecurity Framework 2.0 asset identification practices.
NHIMG research shows only 5.7% of organisations have full visibility into their service accounts, which helps explain why registry drift is so persistent.
Why It Matters in NHI Security
Registry drift weakens every downstream control that depends on accurate identity records. If the registry is stale, access reviews approve the wrong subjects, rotation workflows skip live credentials, offboarding leaves orphaned tokens behind, and policy engines enforce rules against identities that no longer exist. That creates a hidden attack surface where attackers can exploit forgotten agents, unowned service accounts, and credentials that remain valid long after the business believes they have been removed. The result is especially dangerous in agentic environments because agents can be created, modified, or replicated faster than human processes can reconcile them. NHIMG data shows 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, underscoring how visibility gaps translate into compromise risk.
Registry drift also undermines Zero Trust because trust decisions are only as good as the identity facts behind them, and that becomes critical when third-party systems, CI/CD automation, and delegated admins can create identities outside the normal review path. Organisational teams typically encounter the impact only after an incident report, audit exception, or unexplained token use reveals that the registry never matched production reality, at which point registry drift becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Registry drift reflects unknown and unmanaged NHIs that evade inventory and ownership controls. |
| NIST CSF 2.0 | ID.AM | Asset management requires accurate inventories of identities and supporting resources. |
| NIST Zero Trust (SP 800-207) | GV-2 | Zero Trust depends on current identity and device state before policy decisions are made. |
Feed live identity state into authorization so stale registry records do not drive access decisions.
