Subscribe to the Non-Human & AI Identity Journal

End-of-life software

Software that no longer receives upstream security fixes, compatibility updates, or vendor support. In security governance terms, EOL status means the organisation owns every remaining patching, compatibility, and risk decision, including how dependencies and access paths are controlled.

Expanded Definition

End-of-life software is not just “old” software. It is software that has crossed a support boundary, meaning the vendor no longer provides security fixes, compatibility updates, or lifecycle assistance. That distinction matters because the organisation inherits the full burden of compensating controls, patch risk acceptance, and dependency management.

In practice, EOL status is a governance signal as much as a technical one. Security teams must decide whether to retire the software, isolate it, replace it, or accept residual risk while a migration completes. The risk often extends beyond the application itself to embedded libraries, plugins, automation scripts, and access paths that still trust the obsolete component. NIST’s NIST Cybersecurity Framework 2.0 aligns with this lifecycle view by emphasizing asset management, risk treatment, and recovery planning rather than assuming vendors will continue to remediate exposures.

The most common misapplication is treating EOL software as a routine patching delay, which occurs when teams keep production instances online after upstream support has already ended.

Examples and Use Cases

Implementing EOL controls rigorously often introduces migration friction, requiring organisations to weigh operational continuity against the cost and risk of remaining on an unsupported stack.

  • Retiring an EOL operating system on a server that still hosts authentication tooling, because the unsupported base layer can invalidate the security of every workload above it.
  • Segmenting a legacy application that cannot yet be replaced, so compensating controls such as restricted network paths and hardened admin access reduce exposure during transition.
  • Replacing an EOL library embedded in a CI/CD pipeline, where dependency risk can quietly persist even after the visible application has been modernized.
  • Auditing service accounts and API keys tied to deprecated systems, since the Ultimate Guide to NHIs notes that only 20% of organisations have formal offboarding and revocation processes for those credentials.
  • Tracking vendor announcements for end-of-support dates and cross-checking them against asset inventories, change calendars, and NIST Cybersecurity Framework 2.0 risk treatment processes.

For identity-heavy environments, EOL software can be especially dangerous when it still holds secrets or runs unattended machine access. NHIMG’s Ultimate Guide to NHIs reports that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, which makes unsupported software a persistence point for attackers.

Why It Matters for Security Teams

Security teams need a precise EOL inventory because unsupported software changes the control model. Patch management no longer solves the problem on its own, and compensating controls become mandatory if the system remains in service. That often means tighter segmentation, stronger access restrictions, dependency mapping, and explicit executive acceptance of residual risk. When EOL software is embedded in identity workflows, the impact is broader still, because service accounts, secrets, automation jobs, and agentic tool access may all depend on the unsupported component.

This matters operationally because unsupported systems are frequently the hidden anchor behind incidents involving exposure, lateral movement, or failed recovery. NHIMG research in the Ultimate Guide to NHIs shows that 71% of NHIs are not rotated within recommended time frames, and 96% of organisations store secrets outside secrets managers in vulnerable locations, both of which intensify the blast radius when a legacy platform persists.

Organisations typically encounter the true cost of end-of-life software only after an audit, exploit, or failed migration reveals that the unsupported system still sits on a critical access path.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST SP 800-63 set the technical controls, and ISO/IEC 27001:2022 define the regulatory obligations.

Framework Control / Reference Relevance
NIST CSF 2.0 ID.AM EOL software is an asset lifecycle and risk management issue under CSF inventory and governance practices.
NIST SP 800-53 Rev 5 SI-2 Security flaw remediation requirements apply differently once vendor support has ended.
ISO/IEC 27001:2022 A.8.9 Information security configuration and lifecycle control support managing unsupported software risk.
NIST SP 800-63 EOL software often protects identity workflows, where credential assurance and access control still must be preserved.
OWASP Non-Human Identity Top 10 Unsupported software commonly stores or processes NHI secrets, tokens, and service-account credentials.

Maintain an authoritative inventory and enforce controlled retirement for software that no longer receives support.