Put non-human identities into the same certification discipline as human access, but weight the review around ownership, use, and privilege scope. A service account without a clear business owner or recent usage signal should be treated as a governance exception, not as routine access.
Why This Matters for Security Teams
access review for service accounts is not a paperwork exercise. It is the control point that separates an owned, necessary workload identity from an abandoned credential that still has reach. NHI sprawl creates quiet risk because service accounts often outlive the application, the team, or the original approval. NHI Mgmt Group notes that only 5.7% of organisations have full visibility into their service accounts, and 97% of NHIs carry excessive privileges, which makes review quality as important as review cadence.
This is why IAM teams should certify NHIs with more rigor than a simple yes or no recertification. The reviewer has to know who owns the identity, what workload uses it, whether the privilege scope still matches the job, and whether the account has recent, legitimate activity. Current guidance in the NIST Cybersecurity Framework 2.0 and the OWASP Non-Human Identity Top 10 both point toward continuous governance rather than static entitlement approval. In practice, many security teams discover NHI drift only after a legacy job or integration has already become an attack path.
How It Works in Practice
A usable NHI access review starts with inventory, because you cannot certify what you cannot enumerate. Pull service accounts, API keys, workload identities, certificates, and other secrets into a single review queue, then enrich each item with owner, application, environment, last use, scope, and upstream dependency data. That lets reviewers judge whether the identity is active, dormant, orphaned, or overprivileged.
The review question should be operational, not generic: does this identity still support a live business function, and does it need this level of access to do it? A good workflow usually includes:
- Named business and technical owners for every NHI.
- Recent usage signals, including last authentication, token issuance, or job execution.
- Privilege comparison against the current workload requirement, not the original ticket.
- Evidence of rotation, expiry, or JIT issuance where the platform supports it.
- Escalation rules for orphaned, idle, or high-risk identities.
For governance depth, use the lifecycle view in the Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs alongside the broader Ultimate Guide to NHIs. This framing aligns well with zero trust because the review is not about trusting the account by default, it is about verifying that the account still has a defensible reason to exist. These controls tend to break down in environments with shared service accounts and weak telemetry, because ownership and usage cannot be tied back to a specific workload or team.
Common Variations and Edge Cases
Tighter review criteria often increases operational overhead, requiring organisations to balance security assurance against service stability and release velocity. That tradeoff is real, especially where legacy platforms, vendor-managed integrations, or embedded credentials cannot easily support modern ownership metadata or usage telemetry.
There is no universal standard for every exception path, but current guidance suggests treating these cases as risk-managed waivers, not silent approvals. A shared account used by multiple systems may need compensating controls such as stronger logging, shorter credential TTLs, and explicit service ownership. A dormant account might be retained for disaster recovery, but it should have a documented reactivation trigger and a review date. A third-party integration may need contract-backed ownership and tighter scope than an internal workload.
For deeper breach context, the 52 NHI Breaches Analysis and the Top 10 NHI Issues show how quickly unmanaged service identities become persistence or privilege-escalation paths. Where teams cannot prove ownership, recent use, or bounded scope, the review outcome should be to reduce, rotate, or retire the identity rather than simply certify it again.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Directly addresses NHI review, ownership, and lifecycle hygiene. |
| NIST CSF 2.0 | PR.AC-4 | Supports least-privilege review and identity access governance. |
| NIST AI RMF | GOVERN | Governance is needed when autonomous agents or AI-driven workloads use NHIs. |
Tie each service account to an owner, prove current use, and revoke or reduce access when any of those signals are missing.
Related resources from NHI Mgmt Group
- How should security teams govern Active Directory service accounts?
- How should security teams govern non-human identities that have persistent access?
- How should security teams govern non-human identities alongside human accounts?
- How should security teams govern API keys used for generative AI access?
