Subscribe to the Non-Human & AI Identity Journal

Cloud service lifecycle

The cloud service lifecycle is the full span of a service from initial adoption through operation, change, monitoring, and retirement. In identity and security programmes, the lifecycle matters because controls can fail after deployment if ownership, review, and escalation are not maintained.

Expanded Definition

The cloud service lifecycle covers the full journey of a service from procurement or adoption through configuration, operation, change control, monitoring, and eventual retirement. In NHI security, the term is more than a project-management sequence. It defines when identities are created, how secrets are issued, who can approve access, and how that access is removed when the service changes or ends.

Definitions vary across vendors on whether the lifecycle begins at first deployment, first credential issuance, or first production use, but no single standard governs this yet. What matters operationally is that controls must follow the service across every stage, not just at go-live. That is why lifecycle discipline is closely related to the OWASP Non-Human Identity Top 10 and NHIMG guidance on NHI Lifecycle Management Guide. The most common misapplication is treating cloud service onboarding as a one-time approval event, which occurs when teams fail to revisit permissions, ownership, and retirement tasks after the service enters production.

Examples and Use Cases

Implementing cloud service lifecycle controls rigorously often introduces operational overhead, requiring organisations to balance faster service delivery against tighter review, ownership, and retirement discipline.

  • A platform team provisions a new service account for a CI/CD pipeline, but the lifecycle process requires explicit owner assignment, secret storage approval, and a scheduled review date before deployment.
  • An application is replatformed to a different cloud account, and the lifecycle record is updated so inherited roles, token scopes, and old integrations are revalidated rather than copied forward unchanged.
  • A service is decommissioned after migration, and the lifecycle workflow ensures its API keys, certificates, vault entries, and dependent automation are revoked in the correct order.
  • Security teams use the lifecycle to track where an NHI is created, rotated, monitored, and retired, aligning with NHIMG’s Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs and the OWASP Non-Human Identity Top 10.
  • In cloud secret hygiene programmes, lifecycle governance is used to detect stale tokens and duplicated credentials, echoing NHIMG research in the Guide to the Secret Sprawl Challenge.

Why It Matters in NHI Security

Cloud service lifecycle failures are a common source of identity drift because the service often outlives the original approval, deployment team, or security review. Once that happens, permissions accumulate, secrets spread, and nobody can confidently say which NHIs are still needed. NHIMG’s 2025 State of NHIs and Secrets in Cybersecurity reported that 91% of former employee tokens remain active after offboarding, a reminder that retirement is often the weakest lifecycle stage, not the strongest.

This matters because lifecycle gaps turn routine changes into latent exposure. A service that was safe at launch can become over-privileged after migrations, team turnover, or emergency fixes. The issue is amplified when organisations rely on static credentials, as noted in the 2026 Infrastructure Identity Survey, where 67% of organisations still rely heavily on them. Practitioners should treat lifecycle management as an identity control plane concern, not just a documentation exercise. Organisations typically encounter the consequence only after a breach, failed audit, or unexpected service shutdown, at which point cloud service lifecycle control becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-02 Lifecycle drift often starts with secret sprawl and unmanaged service identities.
NIST CSF 2.0 PR.AC-1 Lifecycle governance depends on identity issuance, authorization, and revocation.
NIST Zero Trust (SP 800-207) PL-8 Zero Trust requires continuous verification across the service life, not just at launch.

Track each cloud service identity from creation through retirement and remove unused credentials promptly.