Yes. Offboarding should include API keys, tokens, certificates, and service accounts because those identities can survive personnel changes and continue accessing systems. If ownership is not reviewed during exit processes, stale access can remain active long after the human relationship ends.
Why Ownership Checks Belong in Offboarding
Ownership checks are a core offboarding control because Non-Human Identities often outlive the people who created them. API keys, tokens, certificates, and service accounts can keep working after a resignation, transfer, or contractor exit unless someone confirms who owns them and whether they are still needed. That gap is especially dangerous in environments with weak visibility: NHI Mgmt Group research notes that only 5.7% of organisations have full visibility into their service accounts, and 91% of former employee tokens remain active after offboarding in The 2025 State of NHIs and Secrets in Cybersecurity.
Offboarding is not just a human access event. It is also a dependency check for the workloads, pipelines, and automations that rely on that person’s credentials. Current guidance from NIST Cybersecurity Framework 2.0 points organisations toward governance, asset visibility, and access control, but the practical problem is that NHI ownership is often informal, undocumented, or shared across teams. In practice, many security teams encounter stale NHI access only after a credential has been reused, exposed, or abused, rather than through intentional offboarding review.
How Ownership Checks Should Work in Practice
A usable offboarding workflow should confirm three things: who owns each identity, what business function depends on it, and whether the identity should be rotated, reassigned, or removed. That means checking secrets stores, CI/CD variables, code repositories, vault entries, cloud IAM bindings, and certificate registries, not just HR records. The NHI Lifecycle Management Guide and Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs both emphasise lifecycle ownership because identities fail most often when no one is accountable for review at the end of employment or contract terms.
- Map each NHI to a named technical owner and a business owner.
- Verify whether the identity is tied to a live application, pipeline, or integration.
- Revoke or rotate secrets when the owner leaves, changes role, or loses responsibility.
- Escalate shared or unknown ownership as a security exception, not a routine closure.
Where possible, align the workflow with zero trust and least privilege principles, then use logging to prove that access was reviewed before the offboarding ticket closes. NIST CSF 2.0 is helpful here because it reinforces governance and access management rather than treating credentials as a one-time provisioning task. This matters most when service accounts are embedded in automation, because the original human owner may disappear while the workload continues to operate on the same credentials.
These controls tend to break down when identities are hard-coded into applications or duplicated across multiple environments, because ownership cannot be traced quickly enough to support safe revocation.
Common Variations and Edge Cases
Tighter ownership checks often increase ticket volume and coordination overhead, so organisations have to balance security gains against operational friction. That tradeoff is real, especially where engineering teams share service accounts, legacy systems lack metadata, or third-party vendors manage part of the identity stack. Best practice is evolving here, and there is no universal standard for every environment, but the direction is clear: unknown ownership should be treated as a risk signal, not an acceptable default.
One practical variation is temporary reassignment during a handover window. Another is staged revocation, where the identity is first tagged, monitored, and then disabled once the dependent service is confirmed. This approach fits organisations that need continuity while reducing the chance that an abandoned credential stays active indefinitely. It also aligns with the broader NHI risk patterns described in Top 10 NHI Issues, especially poor visibility, overprivileged access, and secrets scattered outside managed controls.
For regulated or high-availability systems, the offboarding rule should be stricter: no ownership, no exception. In those environments, the safest path is to force a review of every NHI before the employee or contractor exit is fully closed, then document who accepted responsibility for any surviving credential.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Offboarding must remove or rotate exposed NHI secrets and stale credentials. |
| NIST CSF 2.0 | PR.AC-4 | Ownership checks support least-privilege access review and timely deprovisioning. |
| NIST AI RMF | Governance is needed to assign accountability for autonomous or software-driven identities. |
Inventory owned NHIs, verify ownership at exit, and revoke or rotate any credential tied to the leaver.
