Subscribe to the Non-Human & AI Identity Journal

What should security teams do during a legacy platform migration?

Security teams should require offboarding, credential rotation, and dependency removal as part of the migration plan. A platform is not really retired until its identities, connectors, and fallback access paths are gone. That discipline prevents the old environment from surviving as a hidden second production estate.

Why This Matters for Security Teams

Legacy platform migrations often look like straightforward cutovers, but they become identity-risk events when old service accounts, API keys, OAuth grants, and connector secrets are left behind. That is where the retired platform quietly keeps working as a shadow estate. NHI Management Group notes that only 20% of organisations have formal offboarding and revocation processes for API keys, and that gap is exactly what migration programmes tend to expose.

The security problem is not just access removal. It is dependency discovery, credential lifecycle control, and proving that fallback paths cannot re-open the old environment after go-live. Current guidance from the NIST Cybersecurity Framework 2.0 emphasises governance, asset management, and recovery discipline, all of which map directly to migration cutovers. The practical lesson is that retirement is only real when the identities are gone, not when the application banner changes.

For teams that manage non-human identities, the migration window is often the last chance to find credentials that no one remembered existed. In practice, many security teams encounter the real blast radius only after the legacy system has already been handed back to operations, rather than through intentional decommissioning.

How It Works in Practice

A safe migration plan treats the legacy platform as an identity and dependency inventory exercise before it is a technical cutover. Start by mapping every non-human identity tied to the platform: service accounts, CI/CD tokens, secrets in code, integration users, certificates, and third-party OAuth apps. Then classify each dependency by whether it can be repointed, retired, or replaced. The goal is to remove hidden trust paths, not just to move workloads.

Operationally, the strongest pattern is to combine offboarding with controlled rotation. That means issuing replacement credentials for the target platform, validating that applications can authenticate there, and then revoking the old secrets on a defined schedule. The Ultimate Guide to NHIs highlights how often organisations miss this step, and why unresolved secrets become persistent attack paths.

  • Build a dependency register before the migration window opens.
  • Identify every NHI, secret, connector, and fallback admin path tied to the old platform.
  • Rotate credentials to the target environment before cutover, not after.
  • Revoke legacy tokens, certificates, and OAuth grants immediately once traffic is verified.
  • Monitor for re-authentication attempts against the retired environment for at least one full business cycle.

This is also where visibility tooling matters. If teams cannot enumerate the old platform’s machine identities, they cannot prove decommissioning. The most common failure point is hybrid or federated estates where the legacy platform still trusts upstream directories, shared vaults, or CI systems, because those environments preserve access even after the application itself is declared retired. These controls tend to break down when shared secrets and cross-environment trust chains were never isolated in the first place.

Common Variations and Edge Cases

Tighter offboarding often increases migration effort, requiring organisations to balance speed against assurance. That tradeoff is real in regulated environments, where business teams want a fast cutover but security needs proof that the old environment cannot be revived through an overlooked token or integration account.

Best practice is evolving for complex cases such as shared service accounts, vendor-managed connectors, and asynchronous batch jobs. If multiple applications reuse one identity, teams may need to split the account first, then migrate consumers in phases. In environments with fragile legacy middleware, a short transition period may be acceptable, but current guidance suggests that any temporary coexistence should have explicit expiry dates and documented owners.

Teams should also watch for exceptions where the old platform remains read-only for audit, archive, or legal hold. Even then, read-only does not mean harmless. Secrets should still be rotated, interactive access removed, and any remaining machine trust constrained to the minimum needed for preservation. NHI Management Group’s research shows how often organisations underestimate the residual risk of secrets left valid after notice, and migration projects amplify that problem if decommissioning is treated as an administrative task instead of a security control.

For control alignment and transition discipline, the State of Non-Human Identity Security is a useful reminder that visibility gaps and poor rotation practices are still among the most common causes of compromise. When the legacy estate is spread across multiple clouds, partners, or CI/CD systems, the retirement plan tends to fail because the team can shut down the application faster than it can unwind the identities that keep it alive.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-03 Migration offboarding depends on rotating and retiring non-human credentials.
CSA MAESTRO ID-02 MAESTRO covers identity lifecycle and trust removal during system transitions.
NIST CSF 2.0 PR.AC-4 Least privilege and access control are central when retiring legacy platform access.

Treat decommissioning as an identity lifecycle task with owners, expiry, and verified revocation.