Subscribe to the Non-Human & AI Identity Journal

What do teams get wrong about locking a vault versus logging out?

Teams often assume locking a vault removes local exposure, but it usually leaves encrypted data on the device. Logging out is the stronger reset because it clears the local copy and forces a fresh trust relationship with the server. Policies should distinguish those states clearly, especially for mobile and shared-device scenarios.

Why This Matters for Security Teams

The vault-versus-logout mistake is really a trust-boundary mistake. A locked vault can preserve local state, cached tokens, or encrypted copies of secrets on the device, while logout is the action that usually forces session teardown and re-authentication. That difference matters most on mobile devices, shared workstations, and any endpoint that may be inspected after a handoff. Current guidance suggests treating “locked” as a temporary convenience state, not a security reset.

This is why NHI governance teams focus on secret lifecycle, not just storage location. NHIMG’s Guide to the Secret Sprawl Challenge shows how quickly secrets accumulate across endpoints, collaboration tools, and duplicate stores. NIST also emphasizes strong access control and session management in NIST SP 800-53 Rev 5 Security and Privacy Controls, especially where residual access would create material exposure.

In practice, many security teams discover the difference only after a shared laptop, exported vault cache, or unattended mobile session has already exposed a secret.

How It Works in Practice

A locked vault usually means the application interface is inaccessible until the user re-enters credentials, but the underlying local artefacts may still exist. Those artefacts can include encrypted blobs, session tokens, device-bound caches, or metadata that helps the app resume without a full server-side reset. Logging out is stronger because it should terminate the session, invalidate the local trust relationship, and remove or render unusable the cached state.

For teams managing NHIs and secrets, the practical question is not “Is the vault locked?” but “What still remains trusted on the endpoint?” A good policy distinguishes at least three states:

  • Locked: user interaction is paused, but local state may persist.
  • Logged out: the server session is ended and local access should be revoked.
  • Wiped or re-provisioned: no reusable trust material should remain on the device.

That distinction becomes more important when secrets are dynamically issued. NHIMG’s Ultimate Guide to NHIs — Static vs Dynamic Secrets explains why short-lived secrets reduce blast radius, but only if logout or revocation actually clears the active trust path. In server-backed systems, logout should trigger token revocation, cache invalidation, and reauthentication for any downstream access path. In endpoint-heavy environments, that should be paired with device-level protections such as secure enclaves, automatic lock timers, remote wipe, and session expiry checks. These controls tend to break down when offline devices must retain access for long periods because revocation cannot be confirmed in real time.

For environments with privileged access, this is also where NIST SP 800-53 Rev 5 Security and Privacy Controls maps cleanly to session control, device trust, and least-privilege enforcement, rather than relying on a single UI state as evidence of security.

Common Variations and Edge Cases

Tighter logout enforcement often increases user friction and support overhead, so organisations need to balance usability against the risk of residual access. Best practice is evolving here, especially where mobile workforce patterns and shared-device workflows are common.

One common edge case is the “vault lock” that still preserves a locally decrypted view for a short period after inactivity. That can be acceptable for low-risk data, but it should never be treated as equivalent to revocation. Another edge case is offline mode: if an app must work without connectivity, logout may not be able to call home immediately, which means local expiry rules and secure storage become critical. A third case is managed kiosks or jump hosts, where logout should be mandatory and session data should be destroyed at handoff.

The real operational rule is simple: if the device changes hands, the trust state must change too. A locked vault may protect against casual viewing, but it does not always remove the ability to resume access. Teams that rely on lock state alone often miss that distinction until a stolen device, shared tablet, or cached session becomes the first real test.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-03 Logout and revocation determine whether NHI secrets remain usable on endpoints.
NIST CSF 2.0 PR.AC-4 Session and access control govern whether local trust persists after lock or logout.
NIST SP 800-63 Digital identity guidance supports reauthentication and session invalidation after logout.
NIST Zero Trust (SP 800-207) Zero Trust requires continuous verification instead of assuming a locked UI is safe.
NIST AI RMF AI risk management is relevant where autonomous agents store or reuse secrets on endpoints.

Treat locked vaults as temporary and enforce logout-driven revocation for all reusable NHI secrets.