Subscribe to the Non-Human & AI Identity Journal

Ungoverned application

An application that sits outside the normal identity governance workflow and therefore relies on manual provisioning, ad hoc approvals, or local administration. These apps often create hidden cost, weaker evidence, and slower access because the lifecycle process is fragmented or absent.

Expanded Definition

An ungoverned application is an application that operates outside the normal identity governance workflow, so access is granted through manual provisioning, ad hoc approvals, or local administration rather than centrally enforced policy. In NHI practice, that usually means the app’s service accounts, API keys, certificates, and automation tokens are created and maintained without standard review, expiration, or ownership tracking.

This term is narrower than simply “legacy” or “shadow” application. A legacy system can still be governed if its identities are onboarded into formal controls. An ungoverned application, by contrast, lacks reliable lifecycle control even when the application is known to the organisation. Guidance varies across vendors on whether the label applies only to systems outside IGA tooling or also to apps with partial, inconsistent governance. For NHI Management Group, the key indicator is whether identity lifecycle, evidence, and access accountability are repeatable. The NIST Cybersecurity Framework 2.0 frames this as a governance and access-control problem, not merely an inventory issue.

The most common misapplication is treating a manually approved application as governed when no durable ownership, review cadence, or revocation path exists after the initial approval.

Examples and Use Cases

Implementing governance rigorously often introduces onboarding friction, requiring organisations to weigh speed of delivery against access assurance and auditability. That tradeoff becomes visible in environments where application teams prefer autonomy but security teams still need evidence that NHI controls are working. The Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs is useful here because lifecycle control is what separates a managed application from an ungoverned one.

  • A finance reporting app has a local administrator who creates shared API keys for integrations, but no formal owner records or expiry policy.
  • A factory system uses long-lived service accounts that were exempted from IGA onboarding because the platform team considered it too old to modernise.
  • A customer portal integrates with several third-party services, yet credentials are stored in code and rotated only when an outage occurs.
  • A development utility is approved once by email, then left outside access reviews, so its machine identities are never recertified.
  • A merger brings in an acquired application whose authentication model never gets mapped into central governance, so its secrets remain unmanaged.

For governance teams, the practical test is whether the application can be reconciled to identity records, ownership, and revocation procedures in a way that survives staff changes and audits.

Why It Matters in NHI Security

Ungoverned applications matter because they become concentration points for hidden NHI risk. When service accounts, tokens, and certificates are created outside formal control, organisations lose visibility into who can use them, when they expire, and how they are revoked. That weakens evidence for audit, slows incident response, and increases the chance that stale credentials remain active long after a team believes an application has been decommissioned.

NHI Management Group research shows that only 5.7% of organisations have full visibility into their service accounts, which is exactly why ungoverned applications are so dangerous: they hide identity sprawl in plain sight. The same pattern shows up in review failures, where governance teams cannot prove ownership or rotation status. In zero trust terms, the problem is not just the app itself but the untrusted identity pathways it leaves behind. The Ultimate Guide to NHIs — Regulatory and Audit Perspectives links this directly to evidence quality, while the NIST Cybersecurity Framework 2.0 reinforces the need for consistent control execution across systems. Organisations typically encounter the consequence only after a credential leak, an access review failure, or an audit exception, at which point ungoverned application status becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-01 Covers missing ownership and inventory gaps that define ungoverned applications.
NIST CSF 2.0 GV.OC-01 Requires organisational understanding of assets and systems, including unmanaged applications.
NIST Zero Trust (SP 800-207) AC-1 Zero trust depends on continuous policy enforcement, which ungoverned apps bypass.

Enforce identity-aware access controls and remove ad hoc local credential paths.