Teams should test whether the platform can discover, certify, and revoke access beyond its connector catalogue. If shadow apps, OAuth connections, service accounts, or AI-driven access paths sit outside scope, the platform is governing a subset of the estate rather than the estate itself. Coverage is the control.
Why This Matters for Security Teams
Identity governance platforms are often evaluated as if connector count equals control coverage, but integration libraries only govern what they can actually see. That matters because the largest blind spots in modern estates are usually not the obvious enterprise apps, but OAuth grants, service accounts, embedded secrets, shadow tools, and machine-to-machine access paths that never appear in the catalogue. NIST Cybersecurity Framework 2.0 frames this as a governance and asset visibility problem, not just an access review problem. When the platform cannot discover an identity, it cannot certify, revoke, or attest to it with confidence. The result is false assurance, especially when auditors assume coverage is complete.
This is consistent with NHIMG research. In The State of Non-Human Identity Security, 85% of organisations lack full visibility into third-party vendors connected via OAuth apps. NHIs also outnumber human identities by 25x to 50x in modern enterprises, so a partial inventory is not a minor gap. It is the control surface. In practice, many security teams discover missing identity paths only after a breach review reveals the connector library never saw them. NIST Cybersecurity Framework 2.0 is useful here because it pushes teams to validate asset and access coverage before trusting governance outputs.
How It Works in Practice
A serious evaluation starts with scope testing, not feature demos. The question is whether the platform can discover identities across the full estate, then continuously govern them through certification, remediation, and revocation. That means validating native discovery, API coverage, SaaS connectors, cloud workloads, directories, and non-interactive identities such as service accounts and tokens. It also means testing whether it can ingest evidence from outside the connector catalogue through APIs, event streams, or custom integrations.
A practical assessment should include:
- Discovery tests against shadow SaaS, OAuth apps, and unmanaged service accounts.
- Revocation tests that prove the platform can remove access, not just flag it.
- Lifecycle tests for joiner, mover, leaver, and offboarding flows for NHIs.
- Exception handling for identities that are not well represented by human-centric workflows.
- Audit evidence checks to confirm the system can explain what was governed and what was excluded.
For NHI-heavy environments, the governance layer should align with the lifecycle guidance in Ultimate Guide to NHIs, especially around offboarding, rotation, and visibility. That matters because NHIMG research shows only 20% have formal processes for offboarding and revoking API keys, while 96% of organisations store secrets outside secrets managers in vulnerable locations. A platform that depends on static connector coverage will miss those realities.
Current guidance suggests evaluating whether the platform can operate as a control plane for identity governance, not just a reporting layer. Top 10 NHI Issues is a useful companion reference because it highlights the operational failures that surface when identity visibility is incomplete. These controls tend to break down in environments with rapid SaaS sprawl and developer-managed OAuth grants because new access paths appear faster than connectors are added.
Common Variations and Edge Cases
Tighter coverage requirements often increase onboarding effort, integration maintenance, and ownership disputes, so organisations must balance control completeness against operational drag. That tradeoff is most visible when the estate includes subsidiaries, third-party managed apps, or bespoke internal tooling.
Best practice is evolving for AI-driven access paths and agentic workflows. There is no universal standard for this yet, but platforms should be tested for whether they can represent machine identities, ephemeral credentials, and delegated tool access without collapsing them into human roles. If the governance model only understands named users and fixed entitlements, it will misclassify autonomous access as ordinary human access. That is a design failure, not a reporting issue.
Edge cases also include federated SaaS ecosystems where an app can be discovered but not remediated, and legacy systems where access revocation requires manual steps. In those cases, the platform should at least surface the gap clearly rather than imply enforcement that does not exist. The right buying question is not “How many connectors do you have?” It is “What identity paths can you actually discover, certify, and revoke end to end?”
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Identity discovery and inventory are central when connector libraries miss NHIs. |
| NIST CSF 2.0 | GV.OC-01 | Governance depends on knowing the full identity estate, including hidden access paths. |
| NIST AI RMF | AI RMF is relevant where agentic access paths create dynamic identity and control gaps. |
Verify the platform inventories all NHIs, then prove discovery extends beyond its built-in connectors.
Related resources from NHI Mgmt Group
- How should security teams evaluate IAM platforms for non-human identity governance?
- How should security teams evaluate unified identity platforms for governance risk?
- How should security teams evaluate identity security platforms when NHI governance is in scope?
- How should security teams evaluate identity platforms for enterprise lifecycle governance?
