A non-human identity inventory is the authoritative record of machine identities in an environment, including service accounts, tokens, API keys, certificates, and workload identities. It links each identity to ownership, environment, usage, and lifecycle state so security teams can review and govern access consistently.
Expanded Definition
An inventory for non-human identities is more than a list of accounts. It is the control plane for machine identity governance, tying each identity to an owner, purpose, environment, expiry, and trust boundary so teams can decide what should exist, what should rotate, and what should be revoked.
In practice, the inventory should cover service accounts, API keys, certificates, workload identities, and agent credentials used by automation and AI Agent systems. The industry still uses these labels inconsistently, so definitions vary across vendors, but the operational need is stable: know who or what holds access, where it is used, and whether it is still required. That alignment is consistent with the broader guidance in the Ultimate Guide to NHIs and with the identity governance principles in NIST Cybersecurity Framework 2.0.
The most common misapplication is treating the inventory as a one-time export from cloud or IAM tooling, which occurs when teams do not continuously reconcile runtime activity, secret stores, and dormant credentials.
Examples and Use Cases
Implementing an NHI inventory rigorously often introduces operational overhead, requiring organisations to balance complete visibility against the effort needed to continuously reconcile every machine credential.
- A platform team catalogs CI/CD service accounts, maps each one to a repository or deployment pipeline, and flags orphaned identities for review before they become persistent access paths.
- A security team connects API keys to owning applications and application teams, then uses the inventory to prioritize rotation when a key appears in code or logs, as discussed in the Top 10 NHI Issues.
- A cloud operations group inventories workload identities across clusters so certificates and tokens can be tracked against workload lifecycles, reducing the chance that retired services continue to authenticate.
- An incident responder uses the inventory to determine whether a compromised token belongs to a critical production path, then checks whether the same identity is reused in other environments, a pattern seen in the 52 NHI Breaches Analysis.
- A governance team pairs the inventory with workload identity standards such as NIST Cybersecurity Framework 2.0 to support access review, accountability, and lifecycle enforcement.
Why It Matters in NHI Security
An accurate inventory is the prerequisite for least privilege, rotation, offboarding, and incident response. Without it, organisations cannot tell which secrets are active, which identities are overprivileged, or which access paths belong to defunct systems. That is why NHIs are often the hidden gap in otherwise mature security programs, especially when machine identities outnumber human identities by 25x to 50x in modern enterprises, as documented by Ultimate Guide to NHIs.
The risk is not theoretical. The same research shows that only 5.7% of organisations have full visibility into their service accounts, which means most teams are governing access they cannot fully see. That visibility gap makes inventory quality central to breach prevention, and it also explains why events such as the Cisco DevHub NHI breach and the JetBrains GitHub plugin token exposure are so instructive for defenders. Organisations typically encounter the operational cost of a weak inventory only after a token leak, audit failure, or privilege escalation exposes how much machine access was never properly owned, at which point the inventory becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Directly addresses secret inventory, ownership, and lifecycle control for machine identities. |
| NIST CSF 2.0 | PR.AC | Access control outcomes depend on knowing every non-human identity and its entitlements. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires continuous identity verification, including workload and service identities. |
Treat every NHI as a governed subject and verify access continuously rather than by network location.
