Subscribe to the Non-Human & AI Identity Journal

Why does unmanaged identity sprawl increase risk even when access reviews exist?

Access reviews only work for identities that are already visible, current, and mapped to an accountable owner. Unmanaged sprawl creates identities that never enter the review cycle, so drift, excess privilege, and stale tokens can persist indefinitely. That is why governance must be tied to discovery, not to periodic certification alone.

Why This Matters for Security Teams

identity sprawl is not just an inventory problem. When service accounts, API keys, tokens, and machine users accumulate faster than governance can track them, access reviews become a snapshot of a partial map. The result is a false sense of control: reviewers can certify what they can see, while unmanaged identities keep operating with stale ownership, excess privilege, or no owner at all. NHI Management Group research shows NHIs now outnumber human identities by 144:1 in enterprise environments, which helps explain why periodic certification alone cannot keep pace.

That scale matters because unmanaged identities often sit outside the normal lifecycle controls described in the Ultimate Guide to NHIs and the risk patterns in Top 10 NHI Issues. Access reviews are useful, but they are only effective when discovery, ownership, and entitlement mapping are already accurate. The OWASP Non-Human Identity Top 10 treats poor lifecycle control and secret exposure as core risks for exactly this reason.

In practice, many security teams discover the worst exposure only after a breach investigation reveals identities that were never in the review queue in the first place.

How It Works in Practice

Access reviews operate on the identities and permissions already present in the governance system. Unmanaged sprawl breaks that model by creating identities that are created outside standard onboarding, never linked to an accountable owner, or duplicated across tools and environments. Once that happens, certification workflows can approve the visible subset while the hidden subset continues to authenticate, call APIs, and inherit privilege from old defaults.

The practical response is to tie review programs to continuous discovery and lifecycle control. The Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs emphasizes that discovery, inventory, ownership, and rotation have to be connected. That aligns with the NIST Cybersecurity Framework 2.0, which expects asset identification and continuous risk management, not one-time certification.

  • Discover NHIs across code, CI/CD, cloud, SaaS, and collaboration tooling before certification starts.
  • Bind each identity to an owner, purpose, system, and expiry date.
  • Flag identities with no recent use, no owner, or excessive privilege for remediation, not just review.
  • Automate secret rotation and revocation when ownership cannot be verified.
  • Use review outputs as a validation layer, not the primary discovery mechanism.

Where this guidance breaks down is in multi-cloud and third-party automation estates with weak telemetry, because identities can be created and used faster than inventory sync can reconcile them.

Common Variations and Edge Cases

Tighter identity control often increases operational overhead, requiring organisations to balance faster delivery against stronger accountability. That tradeoff is especially visible in DevOps pipelines, partner integrations, and temporary automation accounts, where teams sometimes accept short-lived exceptions to avoid blocking deployments.

Current guidance suggests treating those exceptions as time-bound and observable rather than permanent. For example, a CI/CD service account may be justified for a release pipeline, but it still needs ownership, a defined scope, and a revocation path. The Ultimate Guide to NHIs — Regulatory and Audit Perspectives is useful here because audit evidence should show not only who approved access, but how the identity entered inventory and how it will exit it. That principle is also reflected in the 52 NHI Breaches Analysis, where stale or poorly governed machine access repeatedly appears as an enabling condition.

There is no universal standard for this yet, but best practice is evolving toward continuous certification for visible identities plus enforced discovery for unknown ones. That matters most in environments with shared service accounts, shadow IT, and third-party managed integrations, because those are the places where access reviews can look clean while unmanaged sprawl keeps accumulating risk underneath.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-01 Identity sprawl and hidden machine accounts are core NHI discovery failures.
NIST CSF 2.0 ID.AM-1 Asset inventory is the prerequisite for meaningful access review coverage.
NIST AI RMF GOVERN Unmanaged sprawl weakens accountability for automated and agent-driven identities.

Continuously discover NHIs and remove or register identities that never enter governance.