Rotation replaces a credential while keeping the identity and workload in place, which reduces exposure if a secret leaks. Deprovisioning removes the identity or its access entirely, which is appropriate when the workload is retired or no longer needs the privilege. Mature programmes use both, but deprovisioning always delivers the bigger reduction in long-term risk.
Why This Matters for Security Teams
Rotation and deprovisioning solve different problems, and confusing them creates blind spots in NHI lifecycle management. Rotation limits the damage if a token, key, or certificate is exposed, but it does not change who or what is entitled to act. Deprovisioning removes access at the source, which is what stops dormant identities from becoming latent attack paths. That distinction matters when secrets are duplicated, embedded in pipelines, or shared across apps. NHI lifecycle discipline is covered in the NHI Lifecycle Management Guide and reinforced by the OWASP view of identity sprawl in the OWASP Non-Human Identity Top 10.
The practical risk is that teams often rotate a credential and assume the NHI is now safe, even though the identity still has standing access, broad RBAC entitlements, and repeated use across services. If a workload is retired, rotated credentials only postpone the inevitable rather than removing the privilege path. In mature programmes, rotation is a containment control and deprovisioning is an end-state control. In practice, many security teams encounter this only after an offboarded workload or abandoned integration still has active access and a fresh secret has already been issued.
How It Works in Practice
Rotation should be used when the identity is still legitimate but the secret needs replacement because of age, exposure risk, or policy. Deprovisioning should be used when the workload, service, or integration is no longer required, or when access is no longer justified. The two controls sit at different points in the lifecycle: rotation preserves continuity, while deprovisioning removes trust. That is why current guidance from Entro Security’s 2025 State of NHIs and Secrets in Cybersecurity and the 52 NHI Breaches Analysis consistently points to lifecycle failure, not just secret age, as the real problem.
- Rotate when the NHI is active and needs uninterrupted access, but the secret must be refreshed.
- Deprovision when the workload is retired, replaced, or no longer needs the privilege.
- Revoke issued tokens, API keys, certificates, and any cached secrets, not just the primary credential.
- Verify downstream systems, CI/CD jobs, vaults, and secret copies are cleaned up after removal.
Operationally, this often means pairing automated rotation with inventory-aware deprovisioning. A rotated secret can still be dangerous if the old one is cached in code, tickets, or chat, while a deprovisioned identity can still linger if access is replicated across multiple vaults or environments. The strongest programmes tie both actions to ownership, expiry, and workload state. These controls tend to break down when one NHI is reused by multiple applications because no single owner can safely confirm that all dependent access has been removed.
Common Variations and Edge Cases
Tighter deprovisioning often increases operational overhead, requiring organisations to balance reduced long-term risk against service continuity and change-management effort. That tradeoff is especially visible in systems that use long-lived service accounts, shared integrations, or legacy schedulers. Best practice is evolving toward dynamic, short-lived secrets, but there is no universal standard for every platform. Where workloads are highly ephemeral, rotation may be less important than issuing JIT credentials and revoking them automatically at task completion, as discussed in the Ultimate Guide to NHIs — Static vs Dynamic Secrets.
Edge cases usually involve uncertainty about whether an identity is truly dead. For example, a service account may appear unused but still support a backup job, a blue-green deployment, or a hidden batch process. In those cases, a staged approach is safer: confirm ownership, reduce privilege, rotate if needed, then deprovision once dependency checks are complete. The Guide to NHI Rotation Challenges and Top 10 NHI Issues both reflect the same operational reality: rotation without clean retirement creates a false sense of control.
For teams managing agentic systems, the distinction becomes even sharper because the agent’s access should be evaluated against current intent, not historical entitlement. Deprovisioning is the right answer when the agent or workload is no longer trusted to act at all; rotation is only a temporary containment measure when the agent still needs to operate.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Rotation and deprovisioning are core lifecycle controls for NHI secrets. |
| NIST CSF 2.0 | PR.AA-5 | Identity lifecycle control supports least privilege and access removal. |
| NIST Zero Trust (SP 800-207) | 4.1 | Zero trust requires continuous reauthorization, not permanent standing access. |
Use short-lived trust and remove access when the workload no longer meets policy conditions.
