TPM-less devices are risky because they often sit outside mature trust and lifecycle controls, yet still need authentication, signing, and protected storage. When software roots of trust fill that gap, teams must know who owns the device, how credentials are protected, and what happens when the device is retired or compromised.
Why This Matters for Security Teams
TPM-less devices create governance risk because identity teams are asked to trust a device that cannot prove hardware-backed integrity in the way mature assurance models expect. That does not just affect login. It affects how signing keys are protected, how device ownership is established, how revocation works, and how confidently the organisation can decide whether the device is still trustworthy after exposure. In practice, the gap is often discovered only when teams try to enforce lifecycle controls at scale.
For identity programs, the risk is not the absence of a chip by itself. It is the compensating control burden that follows. Without a TPM, software roots of trust, secure enclaves, or managed attestation stacks must carry the assurance load, and those controls are much easier to misconfigure, clone, or bypass. NHIMG guidance on Ultimate Guide to NHIs shows how lifecycle visibility and credential discipline are usually the weak point, not the initial enrolment. That aligns with the broader identity-first thinking in NIST Cybersecurity Framework 2.0. In practice, many security teams encounter device trust failures only after a retire, rebuild, or compromise event has already broken their assumptions.
How It Works in Practice
Identity teams usually have to replace hardware-backed trust with a layered model when TPMs are missing. The practical pattern is to bind the device to a managed workload identity, use short-lived credentials, and evaluate trust at runtime rather than assuming the device remains trustworthy after enrollment. That means the device should not hold long-lived secrets in files or local storage if an alternative exists. It also means revocation and re-enrollment must be treated as normal operational workflows, not exceptions.
Good practice is to combine several controls:
- Use device inventory and ownership records so the organisation knows who is responsible for each endpoint.
- Issue ephemeral credentials where possible, then rotate or revoke them on task completion or risk change.
- Prefer remote attestation or software-based integrity checks over static trust assumptions when no TPM is available.
- Separate device identity from human identity so compromise of one does not automatically expose the other.
- Use policy-as-code and conditional access to evaluate device posture, location, and session context at request time.
That approach is consistent with NHIMG lifecycle guidance in Lifecycle Processes for Managing NHIs and with the governance posture described in Key Challenges and Risks. For assurance architecture, teams should also align device trust decisions to CISA Zero Trust Maturity Model and the policy-based access ideas in the NIST Cybersecurity Framework 2.0. These controls tend to break down in unmanaged, offline, or user-owned environments because the organisation cannot reliably enforce enrollment, attestation, or revocation at the moment risk changes.
Common Variations and Edge Cases
Tighter device trust controls often increase operational overhead, requiring organisations to balance stronger assurance against support complexity and user friction. That tradeoff is especially visible in BYOD fleets, field devices, lab systems, and legacy industrial endpoints where TPM support is absent or inconsistent. Current guidance suggests that teams should not wait for perfect hardware; instead, they should define acceptable compensating controls and the conditions that trigger access denial, step-up checks, or full re-enrollment.
There is no universal standard for this yet. Some environments can tolerate software roots of trust if credentials are short-lived and the device is tightly managed. Others, especially those handling sensitive secrets or signing authority, may need to restrict TPM-less devices entirely. The safest interpretation is that TPM absence does not automatically mean non-compliance, but it does require explicit governance, documented exceptions, and faster offboarding. NHIMG research on 52 NHI Breaches Analysis is a useful reminder that weak lifecycle control is what turns identity gaps into incidents. The practical decision point is whether the organisation can prove device identity, protect secrets, and revoke access quickly enough when the device is lost, rebuilt, or repurposed.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Covers NHI lifecycle and secret protection gaps that TPM-less devices amplify. |
| NIST CSF 2.0 | PR.AA-1 | Identity proofing and credential assurance depend on how device trust is established. |
| NIST Zero Trust (SP 800-207) | SA-3 | Zero trust requires continuous verification instead of assuming hardware-backed trust. |
Treat TPM-less endpoints as high-risk NHIs and require short-lived credentials plus explicit offboarding.
