Subscribe to the Non-Human & AI Identity Journal

Identity Source of Record

An identity source of record is the system that should define and reconcile the organisation’s view of access. For shadow access, the challenge is that the source of record often excludes in-app grants, so the real entitlement state diverges from governance data.

Expanded Definition

An identity source of record is the authoritative system that defines which identities exist and what access state should be recognised across governance, provisioning, and review workflows. In practice, that authority may sit in an HR system for workforce identities, a directory for legacy access, or an IAM platform for broader reconciliation, but no single standard governs this yet for NHIs.

For Non-Human Identity programs, the term becomes more complicated because the source of record often captures only a subset of reality. Application-level grants, embedded API keys, service account entitlements, and CI/CD-issued tokens can exist outside the system that governance teams treat as authoritative. That gap is why NHI management must align the source of record with continuous discovery and entitlement reconciliation, not just with onboarding records. The NIST Cybersecurity Framework 2.0 reinforces the need for reliable identity governance, but it does not by itself resolve source-of-record ambiguity for machine access.

Definitions vary across vendors, especially when one platform claims to be the source of record while another system actually controls live access. The most common misapplication is treating an HR or directory record as complete truth for NHI access, which occurs when in-app entitlements and service credentials are never reconciled back into governance data.

Examples and Use Cases

Implementing a source of record rigorously often introduces reconciliation overhead, requiring organisations to weigh governance clarity against the cost of continuous synchronisation across identity, application, and secret-management systems.

  • A workforce IAM platform is used as the source of record for employees, while a separate discovery feed captures service accounts and API keys that would otherwise remain invisible.
  • A cloud application grants local access to a service principal; that grant is later reconciled against the authoritative record so access reviews reflect the real entitlement state.
  • Security teams compare lifecycle data from the Ultimate Guide to NHIs with live application permissions to find accounts that were never onboarded into governance.
  • An engineering group treats a secrets manager as the source of record for machine credentials, but only after confirming that repository-scanned secrets and pipeline tokens are also inventoried.
  • During a post-incident review, analysts map discovered shadow access back to the 52 NHI Breaches Analysis and compare the result with NIST guidance on identity governance and access control.

Why It Matters in NHI Security

When the source of record is incomplete, governance reports become misleading, access reviews miss hidden entitlements, and offboarding fails to remove active machine access. That is especially dangerous for NHIs because credentials can be copied into code, pipelines, or third-party tools faster than manual processes can reconcile them. NHIMG research shows that only 5.7% of organisations have full visibility into their service accounts, which makes the quality of the source of record a core security control rather than an administrative detail.

This is where the risk compounds: once a shadow API key or unmanaged service account is exposed, the organisation may still believe the identity was decommissioned because the source record says so. The Top 10 NHI Issues and the Ultimate Guide to NHIs both emphasise that visibility and lifecycle control must extend beyond the nominal system of record. Organisations typically encounter the failure only after an incident review shows that access was never removed, at which point the source of record becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-01 Covers discovery and inventory gaps that make the source of record incomplete.
NIST CSF 2.0 PR.AC-1 Addresses identity and access management foundations, including authoritative access data.
NIST Zero Trust (SP 800-207) Zero Trust depends on accurate identity context and ongoing verification of access state.

Maintain a trusted identity source and reconcile access changes across connected systems.

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.