Subscribe to the Non-Human & AI Identity Journal

Extended Support

Extended support is a paid or special service that continues limited maintenance after standard support has ended. It can reduce immediate exposure, but it should be treated as a temporary bridge with a defined exit plan, not as a permanent substitute for timely migration.

Expanded Definition

Extended support is the post-standard-support phase in which a vendor or service provider keeps a product, platform, or component minimally maintained for a fee or under special terms. It usually covers critical fixes, limited troubleshooting, or selective security updates, but not full feature development. In security governance, the distinction matters because extended support can lower immediate operational risk while still leaving the underlying technology on an aging, shrinking support path. That makes it different from active lifecycle support, where the product remains in routine maintenance, release cycles, and broad compatibility testing. The concept is closely aligned with lifecycle risk management in the NIST Cybersecurity Framework 2.0, where maintaining systems includes understanding asset status, exposure, and recovery implications.

Definitions vary across vendors because some treat extended support as a commercial contract layer, while others bundle it with long-term maintenance or security-only servicing. The most common misapplication is assuming extended support restores a product to normal operational status, which occurs when teams confuse limited patch coverage with full vendor accountability.

Examples and Use Cases

Implementing extended support rigorously often introduces cost and compatibility constraints, requiring organisations to weigh short-term continuity against delayed modernization and residual risk.

  • A healthcare provider keeps an older authentication appliance on extended support while completing a regulated migration to a newer platform.
  • A financial institution pays for extended support on a legacy directory service to preserve identity integrations while testing replacement controls under the NIST Cybersecurity Framework 2.0.
  • An engineering team uses extended support for a build server that still signs release artifacts, buying time to rework pipelines without immediate production interruption.
  • A security team treats extended support as a bridge, not a destination, because the Ultimate Guide to NHIs shows that 97% of NHIs carry excessive privileges, making old systems especially dangerous when they host service accounts or API keys.
  • An organisation delays decommissioning a legacy secrets store under extended support while it inventories where credentials are embedded in code, config files, and CI/CD tools.

Why It Matters for Security Teams

Extended support matters because it can preserve business operations while a security team executes migration, but it also creates a false sense of safety if leaders confuse “supported” with “secure.” Systems in extended support often remain harder to patch, less compatible with modern controls, and more exposed to identity and secrets risk when they continue to host service accounts, tokens, or certificates. That is especially relevant in NHI governance, where long-lived machine credentials and weak offboarding amplify the blast radius of an outdated platform. NHI Mgmt Group reports that only 20% of organisations have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, which makes prolonged legacy operation materially riskier. The Ultimate Guide to NHIs also notes that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys. Organisations typically encounter the true cost of extended support only after a failed audit, a stalled upgrade, or a credential compromise, at which point the exit plan becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 GV.SC-05 Supports lifecycle-aware supplier and technology risk decisions for extended support.
NIST SP 800-63 Legacy identity components in extended support can affect assurance and authentication trust.
OWASP Non-Human Identity Top 10 Extended support often prolongs exposure of service accounts, keys, and other NHIs.
NIST AI RMF If AI platforms or agents are involved, extended support should be governed as ongoing operational risk.

Track supported status, residual exposure, and exit deadlines before renewing any extended support contract.