Subscribe to the Non-Human & AI Identity Journal

How should security teams use activity data in identity governance decisions?

Security teams should combine activity data with entitlement records before making PAM, IGA, or lifecycle decisions. Login history, last access, and credential status help distinguish dormant but clean identities from dormant but exposed ones. Without that context, review outcomes are based on snapshots, not operational reality, and can preserve risky access for too long.

Why This Matters for Security Teams

Activity data is the difference between treating an identity as “still present” and understanding whether it is actually active, exposed, or abandoned. For NHI governance, login history, last access, token use, and credential status should shape decisions about PAM, IGA, and lifecycle actions because entitlement lists alone do not show operational reality. NIST Cybersecurity Framework 2.0 emphasises continuous identity and access management, which aligns with using behaviour evidence instead of static snapshots. NHI Mgmt Group also notes that only 5.7% of organisations have full visibility into service accounts in its Ultimate Guide to NHIs.

The practical risk is simple: dormant does not mean safe. A dormant identity with a valid secret can still be abused, especially when secrets are stored outside vaults or tied to third-party integrations. Activity data helps separate accounts that are inactive by design from accounts that are inactive because no one is watching them anymore. Security teams that ignore this context often over-preserve access after projects end, migrations pause, or owners leave, and that is where compromise tends to persist unnoticed.

How It Works in Practice

Security teams should combine entitlement records with activity signals before deciding whether to keep, reduce, rotate, or revoke access. The goal is not to “trust usage” blindly, but to interpret usage alongside ownership, system criticality, credential age, and downstream privilege. NIST guidance on identity and access governance supports this kind of continuous review, while the Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs frames lifecycle action as a recurring control, not a one-time cleanup.

A practical decision model usually includes:

  • Last seen activity: determine whether the identity has authenticated, called APIs, or used secrets within a defined window.

  • Credential status: check whether keys, tokens, or certificates are valid, rotated, expired, or recently reissued.

  • Entitlement scope: compare observed use against granted permissions to find unused but dangerous access.

  • Owner and purpose: verify whether the identity still maps to an active workload, vendor, or business process.

  • Environment context: distinguish production service accounts from test, CI/CD, or migration accounts that may look dormant but remain needed.

That approach is especially important because access review outcomes based only on static entitlement snapshots can miss whether an account is exposed through a leaked secret, a stale token, or an unmonitored integration. Current guidance suggests using activity data as a prioritisation signal for review, not as a sole indicator of trustworthiness. In practice, this works best when paired with vault telemetry, SIEM events, and periodic revalidation against the business owner. These controls tend to break down in large CI/CD environments because short-lived build activity can look indistinguishable from abuse without pipeline context.

Common Variations and Edge Cases

Tighter activity-based governance often increases operational overhead, so organisations need to balance review accuracy against the cost of collecting and interpreting more telemetry. That tradeoff is real, especially when identities span cloud platforms, pipelines, and third-party vendors. The State of Non-Human Identity Security shows why the problem is not theoretical: 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which makes activity interpretation incomplete by default.

There is no universal standard for how long an identity may remain idle before action should be taken. Best practice is evolving toward risk-based thresholds that differ by privilege level, secret type, and environment criticality. A service account with no recent use but a highly privileged token should be treated differently from a low-risk batch job with a tightly scoped, auto-expiring certificate. Similarly, an identity with no logins but frequent API calls should not be marked inactive just because interactive access is absent.

Teams should also avoid one common mistake: revoking identities solely because they are quiet. Quiet can mean retired, but it can also mean hidden. Activity data is most useful when it confirms a lifecycle decision already supported by ownership, purpose, and entitlement evidence, not when it replaces those controls.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-03 Activity data supports deciding when NHI credentials are stale or overexposed.
NIST CSF 2.0 PR.AC-1 Identity governance depends on monitoring access context and ongoing authentication state.
NIST AI RMF GOVERN Governance requires documented decision criteria for automated or assisted identity reviews.

Continuously validate identity activity before approving access retention or cleanup actions.

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.