Service accounts and machine identities matter because they often carry the permissions that move data, trigger reports, and feed AI workflows. If those identities are over-privileged or left out of review cycles, the organisation cannot prove that access is proportionate or necessary. Under NIS2, that creates both security exposure and audit weakness.
Why This Matters for Security Teams
Under NIS2, service account and machine identities are not background plumbing. They are operational identities that can move data, automate reporting, trigger downstream workflows, and connect to critical services. If they are not governed with the same discipline as human access, organisations lose the ability to show that access is proportionate, necessary, and controlled. The legal text of the NIS2 Directive – official EU legal text makes resilience and access control a board-level issue, not an afterthought.
This is especially important because NHI risk tends to stay hidden until an incident forces discovery. NHI Mgmt Group notes in the Ultimate Guide to NHIs – Regulatory and Audit Perspectives that only 5.7% of organisations have full visibility into their service accounts, which means most teams cannot confidently answer who owns them, what they can do, or when they were last reviewed. In practice, many security teams discover the problem only after a machine identity has already been used to overreach its intended scope.
How It Works in Practice
The practical test under NIS2 is whether machine identities are governed as part of access control, lifecycle management, and audit readiness. That starts with inventory: organisations need to know where service accounts exist, what systems create them, which applications depend on them, and which privileges they carry. NHI Mgmt Group’s Ultimate Guide to NHIs – What are Non-Human Identities is a useful reference for separating identity classes and understanding why non-human access requires its own governance model.
From there, good practice is to tie each identity to a named business owner, a documented purpose, and a rotation or expiry process. For machine identities, that often means short-lived credentials, scoped tokens, secret storage in approved systems, and removal of dormant accounts. The goal is not just limiting privilege, but proving control evidence during an audit. Teams should also review access for automation paths that humans rarely inspect, such as CI/CD jobs, integrations, backup systems, and reporting pipelines.
- Maintain a complete inventory of service accounts, API keys, certificates, and workload tokens.
- Assign ownership and review cadence for each machine identity.
- Use least privilege, with privileges matched to the exact service function.
- Rotate or expire credentials on a defined schedule and after role changes.
- Log usage so that anomalous activity can be investigated quickly.
The 52 NHI Breaches Analysis shows that service accounts are not theoretical risk objects; they are common entry points when credentials are exposed or over-permissioned. These controls tend to break down when identities are created ad hoc for integrations and never folded into formal lifecycle management because ownership becomes unclear and review evidence is missing.
Common Variations and Edge Cases
Tighter control over machine identities often increases operational overhead, so organisations have to balance resilience against delivery speed. That tradeoff is real in environments with frequent deployments, legacy middleware, or vendor-managed integrations, where strict rotation and approval workflows can interrupt uptime if they are not designed carefully.
Current guidance suggests treating third-party and shared service accounts as higher risk, especially where the same credential is reused across multiple systems. This is where NIS2 expectations intersect with supply chain exposure, because a forgotten token or overly broad integration account can extend into multiple critical services. The Dropbox Sign breach and JetBrains GitHub plugin token exposure both illustrate how machine credentials can create far-reaching risk when they are leaked or insufficiently constrained.
There is no universal standard for every environment yet, but the direction is clear: keep machine identities discoverable, owned, scoped, and revocable. If a service account cannot be tied to a purpose and a responsible party, it is already a governance gap.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0 set the technical controls, and NIS2 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIS2 | Article 21 | Requires risk-management measures, access control, and resilience for critical digital services. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Directly addresses credential rotation and lifecycle weaknesses in non-human identities. |
| NIST CSF 2.0 | PR.AC-1 | Access and identity management supports controlled authorization for machine identities. |
Inventory machine identities, enforce least privilege, and keep lifecycle evidence ready for audit.
Related resources from NHI Mgmt Group
- How should public-sector teams govern identities across employees, contractors, and service accounts?
- Why do service accounts and cloud identities complicate PAM governance?
- Why do non-human identities create more audit risk than human accounts?
- How should security teams govern non-human identities alongside human accounts?
