Start by reconciling HR, directory, cloud, application, and privileged-access sources into one operating view. Then validate ownership and purpose for each account, especially service accounts and elevated roles. A complete inventory is not a spreadsheet export. It is a continuously refreshed record of what exists, who or what owns it, and whether the access still has a business need.
Why This Matters for Security Teams
A complete identity inventory is the difference between having a trusted control plane and managing security by memory. When accounts, service principals, API keys, and privileged roles are spread across HR, cloud, application, and PAM sources, teams lose sight of what exists and who can still use it. NHI Management Group’s Ultimate Guide to NHIs notes that only 5.7% of organisations have full visibility into their service accounts, which explains why inventories so often miss the most dangerous identities.
The practical issue is not counting objects. It is proving ownership, purpose, and current necessity. That matters because stale service accounts, forgotten OAuth grants, and elevated roles are exactly what attackers use after initial access. The NIST Cybersecurity Framework 2.0 treats asset and identity visibility as a foundational governance requirement, not an optional hygiene task. In practice, many security teams discover broken ownership only after a secrets leak, a cloud incident, or a third-party compromise has already exposed the gap.
How It Works in Practice
A usable identity inventory starts by joining records from systems that describe identity in different ways. HR is usually authoritative for humans, but not for service accounts, machine identities, workload identities, or delegated app access. Directory services, cloud IAM, application admin consoles, and PAM platforms each hold partial truth. The goal is to create one operating view that reconciles those sources without pretending any one of them is complete.
Current guidance suggests each inventory record should answer four questions: what the identity is, who or what owns it, what it can access, and why that access still exists. For human accounts, ownership may map to a manager and a cost centre. For non-human identities, ownership should point to an application, team, or system of record, along with a business purpose and expiry condition. NHI Management Group’s State of Non-Human Identity Security shows why this matters: 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which means inventory gaps often hide in delegated access rather than in obvious admin accounts.
- Reconcile identities across HR, directory, cloud, app, and PAM sources.
- Normalize naming, ownership, and lifecycle fields so the same account is not counted twice.
- Classify identities by type, such as human, service account, API key, workload, or third-party OAuth grant.
- Attach purpose, last-used date, expiry, and revocation path to every record.
- Schedule continuous review so inventory reflects change, not just point-in-time exports.
Teams should also validate whether access is still business-justified, not merely whether the account exists. That means comparing inventory against application owners, deployment pipelines, and IAM policy sources, then flagging accounts with no assigned owner or no recent activity. The What are Non-Human Identities section is useful here because it distinguishes the identity classes that often get collapsed into one spreadsheet row. These controls tend to break down when teams rely on manual exports from fast-changing cloud and CI/CD environments because short-lived identities disappear before they are reviewed.
Common Variations and Edge Cases
Tighter inventory control often increases operational overhead, requiring organisations to balance completeness against the cost of continuous reconciliation. That tradeoff is especially sharp for ephemeral workloads, federated apps, and third-party integrations, where identity objects may be created and destroyed faster than periodic reviews can capture them.
Best practice is evolving for dynamic environments. There is no universal standard for how often to refresh an inventory, but current guidance suggests moving away from quarterly spreadsheets toward event-driven updates from identity, cloud, and secrets platforms. That becomes more important when service accounts are embedded in automation or when OAuth grants are issued outside central IAM. The Top 10 NHI Issues research highlights why ownership and rotation failures tend to cluster together rather than appear in isolation.
Edge cases also include shared accounts, orphaned admin roles, and identities created by external vendors. In those situations, inventory quality depends on forcing a named owner and a clear retirement trigger, even if the account is technically still active. A record is not complete unless it supports action: review, rotate, revoke, or reassign. Anything less is just an index of unknown risk.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Identity inventory is the first step in finding unmanaged NHIs. |
| NIST CSF 2.0 | ID.AM-1 | Asset management requires knowing what identities exist and where. |
| NIST AI RMF | GOVERN | AI governance needs identity accountability for agents and automation. |
Build a complete NHI register, then tag ownership, purpose, and lifecycle for every identity.
