Treat identity as the durable account or directory record and credentials as the revocable proof used to authenticate it. Manage onboarding, role changes, and offboarding through identity lifecycle controls, while handling password resets, token rotation, certificate renewal, and secret revocation through a separate credential process. That separation makes compromise response precise and preserves audit continuity.
Why This Matters for Security Teams
Identity and credential management get conflated when teams treat a login surface as the same thing as the proof used to authenticate it. That shortcut creates operational blind spots: access reviews focus on who a record belongs to, while compromise response depends on what secrets, tokens, or certificates can still be used right now. NHI guidance from NHI Management Group shows why this matters in practice, especially where secret sprawl and weak rotation amplify exposure, as covered in the Guide to the Secret Sprawl Challenge.
The separation also improves auditability. Identity lifecycle events such as joiner, mover, and leaver actions should remain stable in the directory, while credentials should be short-lived, revocable, and traceable to a specific purpose. That distinction aligns with the control intent in NIST Cybersecurity Framework 2.0 and the identity assurance direction in NIST SP 800-63 Digital Identity Guidelines.
Astrix Security & CSA found that only 1.5 out of 10 organisations are highly confident in securing NHIs, which reflects a real gap between account governance and credential control. In practice, many security teams encounter credential abuse only after a token, key, or certificate has already been reused outside its intended lifecycle.
How It Works in Practice
Practically, identity management should answer “who or what is this principal?” while credential management answers “what proof can this principal present, for how long, and under what conditions?” That means the directory, IdP, or CMDB owns the durable record, and a separate secrets or access service owns issuance, rotation, and revocation. The goal is to prevent one process from becoming the source of truth for both identity and secret state.
For human users, this usually means onboarding and role assignment in IAM, then separate handling for password resets, MFA recovery, and certificate renewal. For NHIs, the split should be sharper. Service accounts, workloads, and integrations should be created once, then receive scoped credentials through lifecycle-driven automation. NHIMG’s NHI Lifecycle Management Guide and Ultimate Guide to NHIs — Static vs Dynamic Secrets both reinforce the operational value of keeping those responsibilities separate.
- Use identity systems for ownership, approval, and entitlement mapping.
- Use credential systems for issuance, TTL, rotation, and revocation.
- Track every secret, token, and certificate back to a named identity and purpose.
- Automate offboarding so disabling the identity also invalidates dependent credentials.
This is also where standards guidance helps. The OWASP Non-Human Identity Top 10 highlights the risks of long-lived secrets and weak lifecycle controls, while NIST identity guidance supports stronger proof management without collapsing it into the identity record itself. These controls tend to break down in hybrid environments where local scripts, CI systems, and cloud services issue their own credentials without a central revocation path.
Common Variations and Edge Cases
Tighter separation often increases operational overhead, requiring organisations to balance faster recovery against more moving parts. That tradeoff is especially visible when teams must support legacy apps that expect a static password or shared API key. Best practice is evolving, but current guidance suggests treating these exceptions as migration targets rather than as the default operating model.
There is no universal standard for this yet, so the right design depends on the workload. For example, a directory entry may be stable while the associated credential is ephemeral and task-bound, which is increasingly common in modern automation. NHIMG research on 52 NHI Breaches Analysis shows why this matters: once a secret escapes, the identity record alone does not reduce exposure unless the credential can be revoked quickly.
Edge cases include shared service accounts, vendor-managed integrations, and break-glass access. These need explicit ownership, short review windows, and separate logging for identity events versus credential events. Where teams are still using long-lived keys, the most effective interim step is to decouple storage and rotation from directory administration, then gradually move to dynamic credentials and workload-bound authentication.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Addresses poor secret rotation and lifecycle separation for NHIs. |
| NIST CSF 2.0 | PR.AC-1 | Supports controlled access tied to identity governance and revocation. |
| NIST SP 800-63 | Separates identity proofing from authenticator management. |
Keep identity records stable, but issue, rotate, and revoke credentials on separate automated schedules.
Related resources from NHI Mgmt Group
- How should security teams separate identity management from access management?
- How should teams use identity security posture management for NHI governance?
- How should security teams automate identity lifecycle management without creating new access risk?
- How should security teams connect identity governance to risk management and compliance?
