Subscribe to the Non-Human & AI Identity Journal

Release governance

The controls that decide who can publish software, under what approval conditions, and with what revocation path. For non-human identities, release governance is part of identity security because publishing credentials often have production-level impact even when they look like routine developer tools.

Expanded Definition

Release governance is the decision layer that determines whether a software release may move from build to production, who must approve it, and what conditions or rollback paths must exist before publication. In NHI security, it also governs the identities used to publish code, images, packages, and configuration changes, because those identities can carry production-level authority even when they are treated as routine developer tooling.

Definitions vary across vendors on whether release governance includes only approvals or also lineage, provenance, and emergency revocation. In NHI Management Group terms, the practical boundary is simple: if an identity can promote software into an environment that matters to business continuity or customer trust, release governance applies. This connects naturally to the control expectations discussed in the NIST Cybersecurity Framework 2.0 and to the lifecycle view in Ultimate Guide to NHIs: Lifecycle Processes for Managing NHIs.

The most common misapplication is treating release approval as a ticketing step, which occurs when organisations approve deployments without binding the approving identity to least privilege, expiration, or revocation.

Examples and Use Cases

Implementing release governance rigorously often introduces release latency and coordination overhead, requiring organisations to weigh deployment speed against the reduction in unauthorised or risky production changes.

  • A CI/CD pipeline can only publish to production after a signed approval from a separate deployment approver, not from the build service account itself.
  • An AI agent that proposes infrastructure changes is blocked from publishing until a human reviewer validates scope, secrets exposure, and rollback readiness.
  • A package registry token is allowed to publish only during a narrow release window and is automatically revoked after the change is complete, reflecting the lifecycle concerns highlighted in the Top 10 NHI Issues.
  • An emergency patch can bypass standard approvals, but only if the release identity is logged, time-limited, and later reviewed against audit criteria from the Ultimate Guide to NHIs: Regulatory and Audit Perspectives.
  • A mobile app store release bot is separated from the credentials that sign production backend changes, preventing one publishing path from becoming a universal privilege.

These patterns align with identity assurance concepts in NIST SP 800-63 Digital Identity Guidelines when release authority must be treated as an authentic, accountable privilege.

Why It Matters in NHI Security

Release governance matters because the identity that can publish is often more powerful than the identity that can read or build. If publishing credentials are over-privileged, long-lived, or shared across teams, a compromise can turn a single workflow into a production outage, supply chain incident, or malicious code insertion. That is why release governance sits alongside secret rotation, access review, and revocation design in mature NHI programs.

NHIMG research shows that 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, underscoring how often publishing paths become part of the attack surface. This is not just a compliance issue. It is a containment issue, because once release authority is abused, responders need a fast way to disable the identity, validate provenance, and stop further propagation.

Organisations typically encounter the operational cost of weak release governance only after an unauthorised deployment, at which point revocation paths, audit trails, and approval boundaries become unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-01 Release approvals and publishing authority are core NHI governance controls.
NIST CSF 2.0 PR.AC-4 Least-privilege access is needed for identities that can publish software.
NIST SP 800-63 AAL2 Publishing authority depends on strong, accountable authentication for release identities.

Use stronger authentication for release accounts and bind actions to accountable identities.