TL;DR: Regulations like DORA, NIS2, GDPR, the EU Cyber Resilience Act, PCI DSS, and ISO 27001 increasingly demand control over identities, secrets, keys, certificates, and privileged access because those are the paths attackers use, according to Akeyless. The compliance story is really a governance story: if access, rotation, auditability, and lifecycle are weak, the programme is already behind.
At a glance
What this is: The article argues that modern compliance requirements are converging on the same identity-security controls: secrets, machine identities, cryptographic assets, and privileged access.
Why it matters: For IAM, PAM, and NHI teams, this matters because regulatory readiness now depends on whether identity controls can prove resilience, auditability, and lifecycle governance across both human and non-human access.
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected.
👉 Read Akeyless's analysis of identity, secrets, and compliance controls
Context
Compliance pressure on identity and secrets security is no longer limited to one sector or one framework. DORA, NIS2, GDPR, the EU Cyber Resilience Act, PCI DSS, and ISO 27001 are all pushing the same operational question: can organisations prove control over credentials, keys, certificates, and privileged access before those assets become an entry point?
That shift matters because the real risk is not the regulation itself, but the control gap it exposes. Modern environments create more non-human identities, more delegation paths, and more places where secrets can persist longer than intended, which makes auditability, lifecycle governance, and access scope central to compliance as well as security.
Key questions
Q: How should organisations handle identity and secrets governance for compliance frameworks?
A: They should treat compliance as evidence of working controls, not as a reporting exercise. The focus should be on secrets management, access governance, key protection, certificate lifecycle management, and audit logging across both human and non-human identities. If those controls are weak, the organisation will struggle to prove resilience or accountability when regulators ask for operational evidence.
Q: Why do secrets and machine identities matter so much in regulatory programmes?
A: Because they are the practical routes into critical systems. Attackers often exploit a leaked key, unmanaged certificate, overprivileged token, or orphaned service account long before they touch a human login. Regulators care about these controls because they determine whether sensitive access can be governed, rotated, revoked, and audited in a defensible way.
Q: What do security teams get wrong about compliance and identity controls?
A: They often assume policy language or a tool purchase is enough. In reality, compliance fails when access outlives accountability, credentials are not rotated, certificates are not tracked, and audit logs do not match runtime behaviour. The control has to exist in production, not just in a framework mapping document.
Q: Who is accountable when non-human access causes a compliance failure?
A: Accountability should sit with the teams that own the credential, workload, or service relationship, not with the audit function after the fact. For NHI and cryptographic assets, that means the business or platform owner must be able to explain lifecycle, scope, and revocation decisions before an incident or assessment reveals the gap.
Technical breakdown
Why secrets management sits at the centre of compliance
Secrets management is the discipline of protecting API keys, tokens, certificates, passwords, and other credentials that machines and people use to authenticate. In regulated environments, the issue is not only storage but also rotation, distribution, revocation, and auditability. When secrets are hardcoded, shared, or long-lived, compliance evidence becomes weak because the organisation cannot show who had access, for how long, and under what control. This is why secrets management keeps showing up inside broader governance and resilience requirements across identity, access, and cryptography.
Practical implication: map every secret type to an owner, rotation rule, and revocation path before audit season exposes the gaps.
How certificate lifecycle management affects identity governance
Certificates are machine credentials with an expiry date, a trust chain, and an operational footprint that often spans applications, workloads, and third-party services. Lifecycle management means issuing, renewing, replacing, and retiring certificates without leaving stale trust behind. In practice, expired or orphaned certificates create both availability risk and governance risk because they can break services or remain trusted after the business relationship changes. For compliance, certificate control is evidence that identity governance extends beyond human logins into machine trust.
Practical implication: track certificate owners and renewal dates as rigorously as user access reviews and offboarding.
Why zero knowledge changes regulated access control
Zero-knowledge architecture keeps sensitive material under customer control rather than allowing a service provider to hold the complete key or secret in usable form. That matters in regulated environments because it reduces third-party exposure and strengthens the case that the organisation, not a platform operator, retains control over cryptographic assets. The governance value is not marketing language. It is the ability to limit who can reconstruct, view, or misuse critical secrets, which improves accountability, data sovereignty, and audit defensibility.
Practical implication: assess whether your current vaulting or key-management model can prove exclusive control over the highest-risk cryptographic assets.
Threat narrative
Attacker objective: The objective is to turn weak identity and secrets governance into a reliable path into critical systems and sensitive data.
- Entry occurs when attackers gain access through exposed secrets, unmanaged machine identities, or overprivileged credentials that were never fully governed.
- Escalation follows when standing privilege, weak monitoring, or poor lifecycle controls let those credentials reach more systems than intended.
- Impact lands in service disruption, data exposure, or compliance failure because the organisation cannot prove control over access paths that were already in use.
Breaches seen in the wild
- MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
- Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Compliance is now an identity control problem, not a paperwork problem. The article reflects a broader market truth: DORA, NIS2, GDPR, PCI DSS, and ISO 27001 all converge on the same operational evidence, which is control over identities, secrets, keys, certificates, and privileged access. That means governance teams can no longer separate regulatory readiness from NHI and PAM discipline. Practitioners should treat compliance requirements as a test of whether identity controls actually work in production.
Secret sprawl is the compliance failure mode regulators are really seeing. Hardcoded credentials, unmanaged certificates, overprivileged tokens, and fragmented audit trails are not separate issues. They are one governance pattern: access paths outliving the controls meant to manage them. The practical conclusion is that organisations need to judge compliance by the state of credential lifecycle and access scope, not by policy documents alone.
Zero-knowledge control is becoming a governance requirement, not just an architecture preference. When sensitive keys or secrets remain reconstructable by the platform operator, third-party risk persists even if the rest of the control stack looks strong. That weakens the custody story regulators care about, especially in financial services and critical infrastructure. Practitioners should evaluate whether the organisation truly retains exclusive control over its highest-value cryptographic assets.
Machine identity is now part of secure-by-design compliance. The EU Cyber Resilience Act and related frameworks make it hard to treat APIs, containers, workloads, and AI agents as peripheral. These are operational identities that authenticate, retrieve data, and trigger actions. The identity programme therefore has to extend lifecycle governance, audit logging, and privilege control to non-human actors with the same seriousness applied to employees.
Multi-framework compliance will keep pushing identity teams toward shared control planes. The article points to an environment where one control can satisfy multiple obligations only if it is consistently applied across secrets, keys, certificates, and access governance. That does not eliminate framework differences, but it does mean the identity stack is becoming the common layer across regulatory obligations. Practitioners should expect more pressure to unify control evidence across NHI, PAM, and cryptographic governance.
From our research:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
- For broader governance context, see 52 NHI Breaches Analysis for recurring failure patterns and remediation themes.
What this signals
Compliance programmes are becoming identity programmes by default. As frameworks continue to converge on access control, auditability, and cryptographic governance, the practical boundary between regulatory readiness and NHI security keeps shrinking. Teams that still separate compliance evidence from runtime identity controls will find that the same weakness appears in both audit results and incident response.
Credential lifecycle is the control that will absorb the most pressure. The biggest gap is no longer whether organisations have a vault, but whether they can prove rotation, revocation, and ownership across machine identities, certificates, and privileged access. That is where the regulatory and operational risk compounds fastest, especially in hybrid and multi-cloud environments.
As more systems depend on non-human access, the programme needs a unified evidence layer. Access logs, rotation histories, certificate renewals, and key custody records should be reviewable as one control story rather than separate artefacts. For teams trying to operationalise this, the natural next step is to compare current evidence quality against the control guidance in the NIST Cybersecurity Framework 2.0 and the OWASP Non-Human Identity Top 10.
For practitioners
- Map compliance obligations to identity controls Create a crosswalk that ties each framework requirement to secrets management, key protection, certificate lifecycle, access governance, and audit logging. Use that map to find where evidence is missing rather than where policy text exists.
- Inventory machine credentials and certificate owners Assign an accountable owner, lifecycle state, and renewal path for every API key, token, certificate, and service account so orphaned access cannot survive a vendor change or internal reorganisation.
- Replace standing privilege with task-scoped access Restrict elevated access to time-bound, task-bound approvals and keep the issuance record tied to the workload, certificate, or service account that used it.
- Prove exclusive control over cryptographic assets Test whether your key-management design can demonstrate that customer-controlled fragments, root keys, and recovery paths are not reconstructable by the platform operator or an unauthorised admin.
- Align audit evidence to runtime reality Reconcile logs, rotation records, and revocation events with live access paths so the audit trail reflects actual credential use, not only intended policy.
Key takeaways
- Modern compliance is exposing the same weakness across multiple frameworks: weak identity, secrets, and cryptographic governance.
- The scale of the problem is already established, with NHI compromise and visibility gaps showing that governance failures are operational, not theoretical.
- Practitioners need to prove lifecycle control, auditability, and exclusive custody over sensitive access paths, not just map policies to frameworks.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the technical controls, and ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | The article centres on secret rotation, lifecycle control, and unmanaged credentials. |
| NIST CSF 2.0 | PR.AC-4 | The post is about controlling and limiting access across regulated environments. |
| NIST SP 800-53 Rev 5 | IA-5 | Credential management and rotation are central to the compliance controls discussed. |
| NIST Zero Trust (SP 800-207) | The article’s focus on least privilege and dynamic access aligns with zero trust. | |
| ISO/IEC 27001:2022 | A.5.15 | Access control governance is a direct theme in the article’s compliance mapping. |
Map every secret and machine identity to an owner, rotation rule, and revocation path.
Key terms
- Secrets Management: Secrets management is the discipline of controlling credentials such as API keys, tokens, passwords, and certificates across their full lifecycle. In regulated environments it must cover issuance, storage, rotation, revocation, and auditability so access can be proven and reduced when business relationships or system needs change.
- Machine Identity: A machine identity is the credentialed identity used by software, workloads, devices, or services to authenticate and interact with other systems. It behaves like an identity governance object, which means ownership, scope, lifecycle, and evidence matter just as much as they do for human accounts.
- Certificate Lifecycle Management: Certificate lifecycle management covers the issue, renewal, replacement, and retirement of digital certificates before trust breaks or stale credentials remain active. For identity programmes, it is the control that keeps machine trust current, traceable, and aligned to the systems and services that depend on it.
- Zero-Knowledge Architecture: Zero-knowledge architecture is a custody model in which the platform cannot reconstruct the customer’s sensitive secret or key material in usable form. The control value is reduced third-party exposure and stronger proof that the organisation retains exclusive control over high-risk cryptographic assets.
What's in the full article
Akeyless's full article covers the operational detail this post intentionally leaves for the source:
- Framework-by-framework breakdowns of how DORA, NIS2, GDPR, PCI DSS, ISO 27001, and CRA map to identity and cryptographic controls.
- Specific product capabilities for secrets management, machine identity security, encryption, key management, and certificate lifecycle management.
- Detailed examples of how zero-knowledge architecture and distributed fragments cryptography change custody and auditability assumptions.
- The article's own explanation of how AI agent access and secure-by-design expectations intersect with compliance requirements.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-07-06.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org