How should security teams uncover unmanaged identities across cloud and on-premises environments?

Security teams should use continuous identity discovery across cloud, on-premises, and hybrid environments, then reconcile each finding against an authoritative owner, purpose, and lifecycle state. The goal is not just visibility. It is to identify orphaned access, unknown service accounts, and untracked AI agents before they become standing risk.

Why This Matters for Security Teams

Unmanaged identities are often the hidden layer behind cloud compromise, on-premises privilege drift, and lateral movement. The practical problem is not a lack of inventory tools, but a lack of continuous reconciliation between what exists and what is actually owned, used, and still needed. NHI Management Group’s Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs treats lifecycle control as the baseline, because discovery without ownership is only partial visibility.

That matters more now because identity sprawl spans service accounts, API keys, workload identities, vendor-connected OAuth apps, certificates, and untracked AI agents. The NIST Cybersecurity Framework 2.0 reinforces that visibility and governance are continuous functions, not one-time audits. In practice, teams usually discover unmanaged identities only after an incident, a failed rotation, or a suspicious access review, rather than through intentional control design.

How It Works in Practice

Effective identity discovery starts by collecting identity data from every control plane, then reconciling it to an authoritative record of owner, purpose, environment, and lifecycle state. That means cloud IAM, on-prem directory services, secrets managers, CI/CD systems, SaaS connectors, and workload runtimes all need to feed the same inventory process. The output should not be a flat list of accounts. It should be a decision set: known and owned, known but stale, or unknown and immediately risky.

In mature programs, security teams combine passive discovery with active validation. Passive discovery finds accounts, keys, roles, certificates, and machine principals. Active validation checks whether the identity is still used, whether its permissions match its purpose, and whether rotation or revocation is overdue. This is where lifecycle guidance from the NHI Lifecycle Management Guide becomes operational: every identity needs a creation event, an owner, a business reason, a review cadence, and a decommission path.

• Scan cloud IAM, directories, endpoint stores, and secrets repositories on a recurring schedule.
• Match each identity to an owner and a system of record.
• Flag identities with no recent use, no documented purpose, or excessive privilege.
• Correlate findings with logging and access telemetry to confirm whether an identity is truly dormant.
• Escalate unknown identities immediately, especially when they can access production, keys, or admin APIs.

For cloud-heavy environments, identity discovery also needs to cover vendor and application sprawl. The Top 10 NHI Issues and the Ultimate Guide to NHIs — Key Challenges and Risks both reflect the same operational reality: unmanaged access often hides in integrations, not just in obvious admin accounts.

According to The 2024 Non-Human Identity Security Report, 35.6% of organisations cite consistent access across hybrid and multi-cloud environments as their top NHI security challenge, which is why discovery must span both on-prem and cloud rather than treating them as separate programs. These controls tend to break down when identity ownership is distributed across teams and environments because no single system has the full lifecycle record.

Common Variations and Edge Cases

Tighter discovery and reconciliation often increases operational overhead, so organisations must balance completeness against the cost of false positives and manual triage. Current guidance suggests prioritising identities that can reach sensitive data, production workloads, or administrative control planes first, then expanding coverage outward. That order reduces noise while still targeting the identities most likely to become standing risk.

Hybrid estates introduce edge cases that simple scanners miss. Legacy on-prem service accounts may be embedded in scheduled jobs, while cloud-native workloads may use ephemeral credentials that appear and disappear quickly. Shared service identities, third-party OAuth grants, and machine accounts inside CI/CD pipelines often need special handling because their “owner” may be a team, system, or vendor rather than a person. In those cases, the question is not whether an identity exists, but whether there is a documented business function and a reviewable control owner.

Guidance is still evolving for AI agents and autonomous workloads. Best practice is to classify them as first-class non-human identities with a lifecycle, even when their access is generated dynamically. The State of Non-Human Identity Security shows that only 1.5 out of 10 organisations are highly confident in securing NHIs, which underscores how often unknown identities are discovered only after access has already been abused. A good program does not wait for certainty before taking action.

Related resources from NHI Mgmt Group

• How should security teams govern non-human identities in cloud environments?
• How should security teams govern cryptographic assets across cloud and DevOps environments?
• How should security teams prioritise NHI remediation in cloud environments?
• How should security teams improve visibility across human, NHI, and AI identities?