Because certifications and leaver workflows only work on identities the programme can see. When access exists outside the inventory, reviewers cannot attest to it and offboarding cannot remove it. That leaves lingering access in shadow systems, which creates audit risk and preserves opportunities for misuse.
Why This Matters for Security Teams
Access reviews and offboarding are only as reliable as the identity inventory behind them. When service accounts, API keys, machine tokens, and shadow integrations are missing from the system of record, certifiers cannot affirm what they cannot see, and leaver workflows cannot revoke what they do not know exists. That is why incomplete inventories turn governance into theatre: the paperwork closes, but access remains live in hidden workflows.
The risk is not abstract. NHI Management Group’s Ultimate Guide to NHIs notes that only 5.7% of organisations have full visibility into their service accounts, while OWASP Non-Human Identity Top 10 treats discovery gaps and lifecycle failure as core security problems, not administrative noise. If inventory quality is low, review completion rates can look healthy while real access continues to accumulate across code, pipelines, bots, and third-party tooling.
In practice, many security teams discover the missing identities only after an incident, an audit exception, or a failed offboarding event, rather than through intentional control design.
How Incomplete Inventories Break Reviews and Offboarding
Access certification depends on a complete population list. If the inventory excludes workloads, inherited secrets, ephemeral tokens, or application-owned identities, reviewers are forced to approve an incomplete picture. That creates false assurance: the reviewer signs off on the recorded set, but unmanaged identities continue to authenticate and authorize actions outside the review scope.
Offboarding fails in a similar way. Human exit processes often remove directory accounts, badge access, and SaaS entitlements, but they do not automatically find every machine credential tied to that person’s projects. The NHI Lifecycle Management Guide emphasizes that discovery, ownership, and revocation must operate together, because a credential that is not mapped to an owner is a credential that will survive the departure event.
- Undiscovered service accounts remain active because no one is assigned to attest to them.
- Shared tokens survive because one team assumes another team will rotate them.
- Shadow systems bypass review queues entirely, so leaver workflows never reach them.
- Legacy integrations keep stale privileges when ownership metadata is missing or outdated.
Best practice is to treat inventory as a live control plane, not a periodic spreadsheet. That means continuous discovery from cloud, CI/CD, secret stores, and application logs; ownership fields that identify a business custodian and technical maintainer; and workflow hooks that trigger revocation when an identity is retired, reassigned, or flagged as unowned. These controls tend to break down when identities are created inside automation tooling without registration, because the inventory never receives the event that should start review or offboarding.
Common Variations and Edge Cases
Tighter inventory controls often increase operational overhead, requiring organisations to balance faster onboarding against stronger revocation discipline. That tradeoff is real, especially in environments with rapid delivery pipelines, ephemeral workloads, and third-party integrations that generate identities automatically.
Current guidance suggests a few edge cases deserve special handling. First, short-lived tokens and build-time credentials may not need the same review cadence as durable service accounts, but they still need ownership, scope, and expiry metadata. Second, federated or externally managed identities can sit outside local directories, so inventory must extend across trust boundaries rather than stop at the primary IAM platform. Third, some teams rely on runtime discovery to supplement registration, but there is no universal standard for this yet, so organisations should validate that discovery data is reconciled back into the authoritative inventory.
The practical lesson is straightforward: if an identity cannot be enumerated, assigned, and linked to a lifecycle event, it cannot be certified or revoked with confidence. NHI Management Group’s 52 NHI Breaches Analysis and the Top 10 NHI Issues both show that visibility gaps are not just bookkeeping defects, they are a direct path to persistent unauthorized access.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Discovery gaps cause hidden NHIs to escape review and offboarding. |
| NIST CSF 2.0 | PR.AC-1 | Identity inventory completeness is required for valid access authorization and review. |
| NIST CSF 2.0 | PR.DS-5 | Untracked secrets and credentials persist when offboarding misses inventory blind spots. |
Continuously discover NHIs and reconcile them to an authoritative inventory before any access review.
Related resources from NHI Mgmt Group
- How should security teams govern access when identity inventories are incomplete?
- Why do access reviews fail when identity lifecycle data is incomplete?
- What is the difference between rotating a secret and revoking access?
- What is the difference between human identity reviews and NHI access reviews?
