The organisation loses the ability to control the device after deployment. Unpatchable devices accumulate risk over time, and unrevocable identities remain trusted even after compromise or replacement. That turns a single device flaw into a persistent governance problem across the environment.
Why This Matters for Security Teams
When an IoT device cannot be patched or revoked, the issue is not just a defect in firmware. It becomes a lifecycle failure in identity, trust, and containment. The device stays in service with the same credentials, same network position, and same assumptions about integrity, even when the hardware is known to be vulnerable. That is exactly the pattern NHI Management Group warns about in its Ultimate Guide to NHIs and the Top 10 NHI Issues.
Security teams often underestimate how fast this becomes systemic. A single unpatchable device can retain access to telemetry systems, cloud APIs, or operational networks long after it should have been retired. If the identity cannot be revoked, replacement does not fully remove trust either, because the old credential may still authenticate. That is why guidance from the OWASP Non-Human Identity Top 10 matters here: control the identity lifecycle, not just the device lifecycle. In practice, many security teams encounter these failures only after the device has been compromised or decommissioned, rather than through intentional offboarding.
How It Works in Practice
The practical break happens in three places: patching, revocation, and replacement. If a device cannot be patched, defenders lose the normal route for removing the vulnerability. If it cannot be revoked, defenders also lose the ability to invalidate the trust relationship. That means the organisation has to assume the device may remain partially trusted indefinitely, which is especially dangerous when the device can call APIs, push data, or participate in automation flows.
The best current guidance is to shift from permanent credentials to short-lived, device-bound trust. That usually means workload identity, mTLS-backed authentication, certificate rotation, and tightly scoped authorisation rules that can be changed centrally. For IoT and embedded environments, this should be paired with network segmentation, device attestation where supported, and a retirement process that disables access even if the device cannot be physically updated. NHI Management Group’s NHI Lifecycle Management Guide and Static vs Dynamic Secrets both reinforce the same operational point: if identity outlives device control, risk persists.
- Use per-device identity, not shared credentials.
- Prefer short-lived certificates or tokens with clear expiry.
- Track device ownership, firmware state, and credential state separately.
- Disable access at the broker, gateway, or policy layer when revocation is impossible on-device.
Where possible, pair this with offline detection and anomaly monitoring so an immutable device does not become an invisible foothold. These controls tend to break down in legacy industrial and field-deployed environments because devices are frequently unreachable, vendor-locked, or too resource-constrained to support modern rotation and revocation.
Common Variations and Edge Cases
Tighter device control often increases operational overhead, requiring organisations to balance reliability against manageability. That tradeoff is sharpest in OT, medical, and remote IoT deployments, where uptime requirements can delay replacement and firmware support may already be expired. Current guidance suggests that these environments should be treated as risk-acceptance exceptions only when compensating controls are documented and reviewed.
One common edge case is a device that cannot be patched but can still be isolated. In that situation, network containment may reduce exposure, but it does not remove trust, especially if the identity remains valid. Another edge case is device replacement without credential retirement. This is a frequent failure mode because the old identity may still authenticate, which is why the Guide to the Secret Sprawl Challenge is relevant even for hardware problems: stale secrets are often the real persistence mechanism. The core lesson is simple. If revocation is impossible, the device must be treated as a standing exception with time-limited scope, not as a permanently trusted asset.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Addresses stale device identities and unmanaged credential lifecycles. |
| NIST CSF 2.0 | PR.AC-1 | Access control is central when device trust cannot be patched away. |
| NIST Zero Trust (SP 800-207) | 3.1 | Zero Trust reduces reliance on permanently trusted device posture. |
| NIST AI RMF | GOVERN | Unrevocable devices create governance risk that needs ownership and review. |
Inventory every device identity, set expiry, and revoke or replace credentials on a fixed schedule.
Related resources from NHI Mgmt Group
- What is the main governance risk of aggressive footprint trimming in IoT devices?
- Who should own the risk when a third-party component cannot be patched quickly?
- What breaks when third-party access cannot be revoked centrally?
- What breaks when organisations cannot see AI agents across devices and browsers?