Subscribe to the Non-Human & AI Identity Journal

Release Identity

The account, token, or workflow identity allowed to publish software or ship updates. When release identity is over-privileged or reused across systems, one stolen credential can reach multiple environments and turn a single compromise into a broader infrastructure event.

Expanded Definition

Release identity is the non-human identity used to publish code, sign builds, promote artifacts, or trigger deployment workflows. It may be an account, token, certificate, or automated pipeline principal, but the security meaning is the same: this identity has authority at the moment software changes move into production.

In practice, release identity sits at the intersection of software supply chain security, privileged access, and CI/CD governance. The term is used more consistently in NHI programs than in general IAM, where it may be described as a deployer account, release bot, or build principal. Definitions vary across vendors, so the important distinction is not the label but the fact that the identity can alter what gets shipped and where. That makes it materially different from a routine service account or developer login. NIST’s Cybersecurity Framework 2.0 is relevant here because release identity belongs in governed access, change control, and recovery processes, not informal pipeline shortcuts.

The most common misapplication is treating a release identity like an ordinary automation token, which occurs when one credential is reused across environments, repositories, or deployment stages.

Examples and Use Cases

Implementing release identity rigorously often introduces pipeline friction, requiring organisations to weigh deployment speed against the control needed to prove who released what, when, and from which system.

  • A CI/CD runner uses a scoped release identity to sign an artifact before promotion to production, with the signing key stored outside the build host and rotated on schedule.
  • A GitHub or GitLab release bot publishes container images to a registry using a distinct identity for staging and production, preventing a staging compromise from reaching live environments.
  • A deployment workflow assumes a short-lived token only during approved release windows, reducing the blast radius if pipeline logs or runtime memory are exposed.
  • An enterprise reviews release accounts alongside findings in the Top 10 NHI Issues because over-privileged automation frequently hides in release tooling.
  • A software supply chain investigation uses lessons from the JetBrains GitHub plugin token exposure case to separate developer access from release authority and to remove shared secrets from build systems.

These patterns also align with guidance from the NIST Cybersecurity Framework 2.0, especially where controlled change, least privilege, and recovery planning intersect.

Why It Matters in NHI Security

Release identity is high risk because it can transform a single exposed token into a trusted path into production. When that identity is reused, long-lived, or granted broad environment access, defenders lose the ability to isolate a compromised build system from the rest of the software estate. NHIMG research shows that 97% of NHIs carry excessive privileges, which is directly relevant to release identities because release tools are often given more access than any human operator would receive.

That matters operationally because release identities are often embedded in CI/CD systems, artifact repositories, and automation scripts that are rarely reviewed with the same discipline applied to human admins. The result is a hidden control point that can be abused to inject malicious updates, tamper with signing, or move laterally across environments. The broader NHI problem described in the Ultimate Guide to NHIs shows why visibility, rotation, and revocation are essential, not optional.

Organisations typically encounter the consequences only after a compromised pipeline or tampered release, at which point release identity becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-02 Release identities rely on secret handling and access scope controls.
OWASP Agentic AI Top 10 Autonomous agents often publish or trigger releases using delegated identities.
NIST CSF 2.0 PR.AC-4 Least privilege and access governance apply directly to release accounts.
NIST Zero Trust (SP 800-207) SC-7 Release workflows should be treated as segmented trust paths, not implicit trust zones.
NIST AI RMF Release automation using AI needs governance around autonomy and accountability.

Constrain agent-triggered release authority and require approval for high-impact deployment actions.