Start by inventorying the identities that never enter the normal joiner, mover, leaver process, including service accounts, API keys, tokens, and agent credentials. Then assign ownership, review cadence, and revocation triggers so the access can be governed even when it is not centrally provisioned. The goal is to make unmanaged access visible enough to control.
Why This Matters for Security Teams
Unmanaged identities are the access paths that slip past normal IAM and MDM controls, yet they often carry the most operational power. Service accounts, API keys, OAuth grants, tokens, and agent credentials can persist long after ownership is unclear. NHI Management Group research highlights how weak visibility remains a live problem: the State of Non-Human Identity Security found that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps.
This matters because unmanaged access is rarely malicious at the point of creation. It becomes dangerous when no team owns rotation, revocation, logging, or review. The practical question is not whether these identities exist, but whether they can be found, assigned, and removed before they outlive the system that created them. Current guidance suggests treating them as first-class security assets rather than exceptions. In practice, many security teams discover the exposure only after a token leak, vendor change, or service outage has already turned an obscure credential into an incident.
How It Works in Practice
Governance starts with discovery, then moves to control mapping. Security teams should build an inventory of unmanaged identities from cloud consoles, source control, CI/CD pipelines, SaaS admin panels, secrets stores, and endpoint tooling. NHI Management Group recommends a lifecycle approach in the NHI Lifecycle Management Guide and the Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs, both of which emphasize ownership, review, and revocation as lifecycle controls rather than one-time provisioning tasks.
Operationally, the controls usually include:
- Assigning a named owner for every unmanaged identity, even if it was created outside IAM.
- Setting a review cadence based on risk, usage frequency, and blast radius.
- Defining revocation triggers such as inactivity, staff departure, vendor offboarding, or application decommissioning.
- Replacing static secrets where possible with short-lived, scoped credentials and automated rotation.
- Logging use events so teams can see which identities still matter and which are stale.
Where possible, teams should align this with the NIST Cybersecurity Framework 2.0 to formalize inventory, governance, and continuous monitoring. The practical test is simple: if an identity cannot be assigned, reviewed, and revoked, it is already outside governance. These controls tend to break down in highly distributed environments where secrets are embedded in legacy scripts, unmanaged SaaS tenants, or third-party integrations that no single team truly owns.
Common Variations and Edge Cases
Tighter governance often increases operational overhead, so organisations have to balance control depth against delivery speed. That tradeoff is especially visible with legacy workloads, embedded device credentials, and partner-managed integrations where immediate replacement is unrealistic. Best practice is evolving, and there is no universal standard for this yet, but risk-based prioritisation remains the most defensible path.
Some identities should be treated differently. Long-lived machine accounts tied to critical workloads may need compensating controls if short-lived credentials are not technically feasible. Third-party OAuth grants may require vendor attestation, while ephemeral agent credentials may demand stronger runtime monitoring rather than traditional quarterly review. The Top 10 NHI Issues page is useful for understanding where governance failures commonly cluster, especially around stale credentials, over-privilege, and missing ownership.
For teams managing secrets at scale, the biggest edge case is not lack of policy but lack of reliable inventory. If the organisation cannot distinguish active credentials from abandoned ones, governance becomes reactive. The most durable program combines inventory, ownership, expiry, and detection, then uses those signals to retire unmanaged access before it becomes invisible.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Unmanaged identities need discovery and inventory before they can be governed. |
| NIST CSF 2.0 | ID.AM-01 | Asset inventory is the foundation for controlling identities outside IAM and MDM. |
| CSA MAESTRO | MAESTRO addresses governance for agentic and machine identities with runtime control. |
Apply identity ownership, policy enforcement, and monitoring to all autonomous and machine-driven access.
