Self-custody is an identity and asset model where the user, not a central provider, holds the credentials that control access. It improves control and portability, but it also means lost credentials can become unrecoverable unless backups and emergency paths are designed in advance.
Expanded Definition
Self-custody is a control model in which the person or system operator holds the credentials, keys, or recovery material needed to prove identity and authorize access, rather than relying on a central issuer or hosted wallet provider. In NHI and agentic AI environments, the term is used most often where keys, certificates, or token-signing material must remain portable across infrastructure, cloud accounts, or tools. That portability is useful, but it also shifts the security burden onto the holder, including backup design, revocation planning, and secure storage. Guidance varies across vendors on whether self-custody includes delegated recovery, shared custody, or threshold schemes, so the operational boundary should be stated explicitly. For governance, self-custody should be evaluated alongside identity lifecycle controls, not treated as a purely technical preference. The most common misapplication is equating self-custody with resilience when the required recovery path is missing or untested.
For baseline identity and access principles, the NIST Cybersecurity Framework 2.0 is a useful reference point for control ownership and recovery planning.
Examples and Use Cases
Implementing self-custody rigorously often introduces recovery complexity, requiring organisations to weigh user autonomy against the operational cost of lost-key events and manual restoration.
- An engineer stores signing keys in a hardware-backed device and keeps offline recovery material so service deployments can continue if the primary device fails.
- A team managing machine identities uses self-custodied certificates for internal services, then pairs them with documented rotation and emergency revocation steps.
- An AI agent retains its own API key material under operator control, which reduces dependency on a central broker but demands strict escrow and access logging.
- A decentralized identity workflow lets a user move credentials between platforms without reissuing them from a vendor, improving portability across ecosystems.
- Security teams review self-custody design against NHI lifecycle guidance in the Ultimate Guide to NHIs and compare it with the recovery and assurance concepts described in the NIST Cybersecurity Framework 2.0.
In practice, self-custody appears in service account key management, wallet-based identity, certificate ownership, and agent authorization patterns where a central provider should not hold unilateral control over access.
Why It Matters in NHI Security
Self-custody matters because it can remove single-provider dependency while creating a single-holder failure mode if the credential is lost, exposed, or rotated without coordination. In NHI security, that risk is amplified by the scale of machine identities and the speed at which secrets spread across code, CI/CD, and runtime systems. NHI Mgmt Group reports that 96% of organisations store secrets outside secrets managers in vulnerable locations, and 73% of vaults are misconfigured, which means self-custodied material often ends up harder to govern than centrally issued credentials. The governance question is not whether the operator wants control, but whether the operator can preserve recovery, revoke access quickly, and prove custody boundaries across the full lifecycle. Self-custody should therefore be paired with backup, escrow, rotation, and emergency access procedures, especially where agentic systems can execute with broad authority. For broader NHI governance context, the Ultimate Guide to NHIs is a useful operational reference.
Organisations typically encounter the consequences of weak self-custody only after a lost device, compromised key, or failed migration, at which point access restoration becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers secret and key handling risks central to self-custody. |
| NIST CSF 2.0 | PR.AA-05 | Addresses identity credential management and recovery for access continuity. |
| NIST Zero Trust (SP 800-207) | Self-custody must still fit zero trust verification and least-privilege access. |
Store, rotate, and recover self-custodied credentials under explicit NHI secret controls.
Related resources from NHI Mgmt Group
- What is the difference between self-service administration and safe delegated control?
- When should organisations use self-signed TLS client authentication instead of CA-signed mTLS?
- What is the difference between self-signed and CA-signed client certificates?
- Why do self-assembling AI agents create more IAM risk than fixed workflows?