They should remove avoidable manual steps from routine work while keeping higher-risk changes governed through stricter approvals. The goal is to separate operational throughput from risk acceptance. If access, licensing, and device management can be standardised and logged, teams can move faster without creating blind spots in compliance or accountability.
Why This Matters for Security Teams
Public-sector teams are under pressure to speed up delivery, but most friction comes from manual approval paths that treat every request as if it carries the same risk. That approach creates bottlenecks for routine access, licensing, and endpoint changes while still failing to concentrate scrutiny on the actions that actually need human judgment. Current guidance from the NIST Cybersecurity Framework 2.0 points toward risk-based governance rather than blanket delay.
The practical issue is not whether control should exist. It is whether control is applied at the right point in the workflow, with evidence preserved and exceptions clearly bounded. NHIMG research shows that only 5.7% of organisations have full visibility into their service accounts, which helps explain why teams often slow down everything instead of managing the assets and entitlements that matter most. The Ultimate Guide to NHIs — Standards frames this as a governance and visibility problem, not just an operations problem. In practice, many security teams discover weak control only after a routine exception has already been approved without enough review.
How It Works in Practice
The fastest way to reduce delivery friction is to standardise low-risk requests into pre-approved paths and reserve manual review for genuinely sensitive changes. That means defining which requests can be automated, which must be logged, and which require human approval based on data sensitivity, privilege level, and blast radius. For public-sector environments, this often includes separate handling for routine device enrolment, software licensing, service account changes, and privileged access.
Control improves when approvals are tied to policy, not inboxes. A team can use policy-as-code for consistent decisions, keep an auditable change record, and trigger additional checks only when a request crosses a threshold. That aligns with the NIST Cybersecurity Framework 2.0 emphasis on repeatable, documented processes. The NHIMG standards guide is especially relevant where access is granted to service accounts, API keys, or automation roles, because those identities often outlive the ticket that created them.
- Pre-approve standard requests with clear thresholds and expiry rules.
- Use RBAC to narrow who can request or approve, but do not rely on RBAC alone to decide risk.
- Log the request, approver, policy outcome, and resulting change in one audit trail.
- Require stronger approval only when the request changes privilege, data exposure, or external connectivity.
- Review automated exceptions on a schedule so speed does not turn into drift.
This guidance tends to break down when legacy systems force manual service desk handling for every change because the approval workflow and the technical control plane are disconnected.
Common Variations and Edge Cases
Tighter control often increases queue time, so organisations have to balance speed against assurance rather than trying to eliminate review entirely. In public-sector delivery, that tradeoff is usually acceptable only when higher-risk actions remain under stricter governance and routine actions are genuinely low risk.
One common edge case is shared infrastructure managed by multiple agencies or contractors. In those environments, standardisation can help, but there is no universal standard for this yet on how much delegation is safe without separate trust boundaries. Another issue is emergency change handling: current guidance suggests that break-glass access should be rare, time-bound, and reviewed after the fact, not used as a standing workaround. Where secrets are involved, the risks escalate quickly; NHIMG notes that 96% of organisations store secrets outside of secrets managers in vulnerable locations, which makes automation without vault-backed controls a shortcut, not an improvement.
Public-sector teams get the best results when they define a small set of approved workflows and measure how often exceptions are used. If exceptions become common, the process is too rigid or the risk model is wrong. If nothing is ever escalated, the control may be cosmetic rather than real. That is the operational balance that keeps delivery moving without weakening oversight.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0, NIST AI RMF and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Supports least-privilege access decisions for routine work. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Covers NHI visibility and governance for service accounts and secrets. |
| CSA MAESTRO | GOV-02 | Addresses governance for agentic and automated workflows. |
| NIST AI RMF | GOVERN | Connects risk-based governance to accountable decision-making. |
| NIST Zero Trust (SP 800-207) | AC-1 | Zero Trust requires explicit, context-based access decisions. |
Standardise access pathways and review entitlements so routine changes stay low-friction and auditable.
Related resources from NHI Mgmt Group
- How should security teams reduce passwordless friction without weakening control?
- How should security teams reduce IAM friction without weakening control?
- How should security teams handle remote access platform end-of-life without weakening control?
- How can security teams reduce friction without weakening privileged access controls?