Enrollment rights are the permissions that determine who can request a certificate from a template. They are a governance control, not just a technical setting, because overly broad rights can let ordinary users obtain credentials that were never meant to support privileged access.
Expanded Definition
Enrollment rights are the governance permissions that decide which users, groups, or service principals can request a certificate from a given template. In practice, they sit at the boundary between identity policy and credential issuance, because the right to enroll often determines who can create a trusted certificate-backed identity in the first place. That makes enrollment rights materially different from simple template visibility or administrative control.
In NHI security, the key question is not whether a template exists, but whether its enrollment scope matches the intended trust model. Broad enrollment rights can convert a routine certificate template into an identity factory for low-trust accounts, shared operators, or even attackers who have obtained a single foothold. Guidance varies across vendors on how much of this should be handled in PKI policy versus directory governance, but the operational principle is consistent: constrain issuance to the smallest set of subjects that truly need it. The most common misapplication is treating enrollment rights as a convenience setting, which occurs when administrators grant access to broad groups without reviewing what downstream authentication the certificate enables.
Examples and Use Cases
Implementing enrollment rights rigorously often introduces administrative friction, requiring organisations to weigh fast certificate issuance against tighter control over who can mint trusted credentials.
- Restricting a VPN certificate template so only a managed device group can enroll, instead of all domain users.
- Limiting administrator certificate templates to a small privileged access group, rather than inheritance from a broad IT support role.
- Allowing an automation account to enroll only for a narrowly scoped service certificate, aligned to its exact workload.
- Reviewing template permissions after lessons learned from breaches such as the Moltbook AI agent keys breach, where overbroad credential access amplified blast radius.
- Mapping certificate enrolment decisions to identity assurance guidance in NIST AI Risk Management Framework style governance where trust is explicit, reviewable, and bounded.
Teams often also use OWASP NHI Top 10 and OWASP Agentic AI Top 10 thinking to separate ordinary operational access from identity creation authority, especially where certificates underpin service execution or agent authentication.
Why It Matters in NHI Security
Enrollment rights matter because they determine whether certificate issuance remains a controlled security event or becomes a reusable path to trust escalation. If an ordinary user can enroll in a template intended for privileged or machine authentication, the certificate can become a durable NHI with access far beyond the original account. That is how a small directory mistake turns into lateral movement, persistence, or impersonation.
This risk is no longer theoretical. In AI Agents: The New Attack Surface report, SailPoint found that 80% of organisations report AI agents already performed actions beyond intended scope, while only 44% have any governing policies in place. The same governance gap appears in certificate enrollment when issuance permissions are left broad, undocumented, or unreviewed. Frameworks such as the NIST AI 600-1 Generative AI Profile and the CSA MAESTRO agentic AI threat modeling framework reinforce the same control logic: authority to request a trust artifact must be deliberate, bounded, and auditable. Organisations typically encounter the consequence only after a certificate has been abused for access, at which point enrollment rights become operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST SP 800-63 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Enrollment rights govern who may mint NHI credentials from templates. |
| NIST SP 800-63 | IA-5 | Credential issuance and lifecycle controls depend on tightly governed enrollment paths. |
| NIST CSF 2.0 | PR.AC-1 | Access permissions must be authorized and managed for identity issuance systems. |
Treat enrollment as an issuance control and require approvals for higher-trust certificates.
Related resources from NHI Mgmt Group
- When does just-in-time access make more sense than permanent admin rights?
- Why does MFA enrollment matter so much in NHI and IAM security?
- How should security teams separate access review visibility from decision rights?
- How should security teams govern AI agents that act faster than directory enrollment?
