Subscribe to the Non-Human & AI Identity Journal

PDCA cycle

Plan, Do, Check, Act is the continuous improvement loop used by ISO 27001. For access reviews, it means designing the control, operating it, measuring outcomes, and then changing the process when risks, findings, or operating conditions shift.

Expanded Definition

The PDCA cycle is a governance method for making NHI controls repeatable, measurable, and adaptable. In practice, it turns access review work into a control loop: define the policy, operate the review, measure exceptions or failures, and then revise the process based on findings. For NHI programs, that makes the cycle especially useful for service accounts, API keys, certificates, and automation identities that change faster than annual policy reviews can keep up.

Definitions vary across vendors and audit traditions, but the core idea is stable across OWASP Non-Human Identity Top 10 and ISO-style management systems: continuous improvement is not a separate task, it is the operating model. NHI Management Group treats PDCA as a practical bridge between policy language and control performance, especially when secrets, rotation, and offboarding are handled by different teams. The most common misapplication is treating PDCA as a paperwork cadence, which occurs when organisations complete a review checklist without changing the underlying control after repeated exceptions.

Examples and Use Cases

Implementing PDCA rigorously often introduces review overhead and evidence-collection work, requiring organisations to weigh auditability against operational speed.

  • Planning quarterly service account reviews for high-risk workloads, then measuring how many accounts still have excessive privileges after remediation.

  • Using the Ultimate Guide to NHIs: Lifecycle Processes for Managing NHIs to design an offboarding workflow, then updating it after stale API keys are found in production.

  • Applying the Guide to the Secret Sprawl Challenge to locate secrets outside approved vaults, then changing developer controls when code scanning shows repeated leakage patterns.

  • Reviewing rotation results through the lens of the Guide to NHI Rotation Challenges, then adjusting schedules for workloads that fail under short-lived credentials.

  • Using the ISO 27001 interpretation of PDCA alongside OWASP Non-Human Identity Top 10 to prioritise the control gaps that matter most to service accounts and automation pipelines.

Why It Matters in NHI Security

PDCA matters because NHI risk accumulates when controls are static. A process that was adequate before secrets began spreading across CI/CD tools, cloud workloads, and third-party integrations can become ineffective without a feedback loop. NHI Management Group notes that 71% of NHIs are not rotated within recommended time frames, and 97% of NHIs carry excessive privileges, which means the control issue is often not awareness but correction over time. When PDCA is applied well, findings from access reviews, rotation failures, and vault misconfiguration are converted into process changes rather than one-time tickets.

This is also where governance becomes operational. The pattern is visible in the Ultimate Guide to NHIs and the Top 10 NHI Issues: teams often discover that their control design, evidence, and remediation steps do not align. Organistions typically encounter repeated exposure only after a secrets leak, privilege abuse, or failed audit, at which point the PDCA cycle becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-02 PDCA drives continuous improvement of NHI secret and access controls.
NIST CSF 2.0 GV.RM-03 Risk management requires monitoring outcomes and updating controls over time.
NIST AI RMF MP-3.3 Monitoring and measuring AI system performance maps to PDCA-style feedback loops.

Use PDCA to review NHI controls, remediate gaps, and update the control design after each finding.