Subscribe to the Non-Human & AI Identity Journal

How should organisations govern business wallets in regulated identity programmes?

They should treat business wallets as part of the identity governance stack, not a side channel. That means defining authoritative sources for attributes, approval rules for issuance, revocation handling, audit retention, and ownership across IAM, IGA, and compliance. Without those controls, portable identity evidence can create a second, less visible identity estate.

Why This Matters for Security Teams

Business wallets can look like a convenience layer, but in regulated identity programmes they effectively become another identity container with audit, entitlement, and recovery implications. If the wallet holds portable evidence, attestations, or verifiable credentials, the organisation must know who issues it, what attributes it represents, how it is revoked, and how that status flows into IAM and compliance records. That is the same governance problem NHI teams face with service accounts and API keys.

The risk is not theoretical. NHIMG’s Ultimate Guide to NHIs notes that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, which is a useful warning sign for any portable identity mechanism that can be overissued or left active too long. The control challenge is compounded when wallet state is spread across compliance, HR, and application teams instead of a single governance model. Current guidance from NIST Cybersecurity Framework 2.0 still points to explicit ownership, lifecycle control, and continuous monitoring as the baseline.

In practice, many security teams discover wallet governance gaps only after a revocation, audit, or delegated access event has already exposed the missing control plane, rather than through intentional design.

How It Works in Practice

Governance starts by treating the wallet as a managed identity artifact, not a self-service endpoint. That means defining the authoritative source for the wallet holder’s attributes, the approval chain for issuance, the conditions under which claims can be updated, and the events that trigger suspension or revocation. The wallet should inherit policy from the same identity governance stack that manages privileged access, even if the underlying credential format is different.

A practical operating model usually includes three layers:

  • Identity proofing and issuance rules, so only approved subjects receive business wallets with regulated claims.
  • Lifecycle controls, so revocation, renewal, and re-binding are tied to employee changes, role changes, and compliance events.
  • Evidence retention and auditability, so the organisation can prove when a wallet was issued, who approved it, and when it was invalidated.

That model aligns well with the control logic in NIST SP 800-53 Rev. 5 Security and Privacy Controls, especially where organisations need traceable access approval, accountability, and record retention. It also fits the lifecycle emphasis in NHIMG’s Lifecycle Processes for Managing NHIs guidance, where hidden identities become a risk when ownership and offboarding are unclear.

Operationally, the wallet should be tied to revocation sources outside the wallet itself, such as HR termination, contractor expiry, fraud signals, or compliance holds. Best practice is evolving on whether issuance should be fully automated or require human approval for regulated claims, but there is no universal standard for that yet. These controls tend to break down in federated ecosystems where the wallet issuer, relying party, and regulator each keep separate lifecycle records, because revocation can lag even when the source system has already marked the identity inactive.

Common Variations and Edge Cases

Tighter wallet governance often increases onboarding friction and audit overhead, so organisations have to balance regulatory assurance against user experience and operational speed. That tradeoff becomes sharper when business wallets are used across borders, subsidiaries, or third-party ecosystems with different retention and evidentiary requirements.

One common edge case is delegated or shared wallet administration. If an operations team can reissue or restore wallets without strong segregation of duties, the wallet estate can become a shadow identity store. Another is offline verification, where a wallet may remain usable longer than the central governance system expects, so revocation design must account for propagation delays and cached proofs. NHIMG’s Regulatory and Audit Perspectives section is useful here because it frames identity evidence as something auditors will test for provenance, not just existence.

Current guidance suggests that wallet governance should be explicit about ownership, but not all frameworks yet agree on whether the wallet provider, the credential issuer, or the business process owner is accountable for every lifecycle event. In multi-entity programmes, that ambiguity is usually where failures begin. Organisations that ignore that split often find the issue first through 52 NHI Breaches Analysis-style post-incident review patterns, not through routine control testing.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AC-4 Wallets need governed issuance, approval, and revocation under access control.
NIST SP 800-53 Rev 5 AC-2 Business wallets are identity instances that require account lifecycle control.
NIST AI RMF Governance must define accountability for autonomous identity evidence handling.
OWASP Non-Human Identity Top 10 NHI-03 Portable wallet credentials can become long-lived secrets without rotation and revocation.
CSA MAESTRO Agentic governance patterns help model wallet issuance, delegation, and revocation workflows.

Treat wallet issuance and disabling as account management events with tracked approvals and removal.