TL;DR: DORA makes identity a resilience control, because access governance, machine credentials, vendor federation, and audit evidence all determine whether financial entities can prove operational control, according to Unosecur. The regulation turns fragmented IAM hygiene into a compliance and resilience problem that demands continuous visibility, privilege control, and traceable lifecycle management.
At a glance
What this is: This article argues that DORA effectively turns identity governance into a core operational resilience control across human, machine, and third-party access.
Why it matters: For IAM and NHI practitioners in financial services, it reframes access, rotation, and evidence collection as resilience requirements rather than internal hygiene tasks.
By the numbers:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected.
- Only 5.7% of organisations have full visibility into their service accounts.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
👉 Read Unosecur's analysis of identity risks and DORA resilience controls
Context
DORA exposes a familiar gap in financial services: identity is often managed as administration, while the regulation treats it as part of operational resilience. That mismatch matters because access, credentials, and lifecycle decisions shape whether an institution can demonstrate control across cloud, SaaS, third parties, and machine workloads.
In practice, the article centers on identity security posture management and identity threat detection as the control layer that ties access decisions to evidence. The starting position described here is common rather than exceptional, which is why DORA creates pressure on both governance design and audit readiness.
Key questions
Q: How should financial entities align NHI governance with DORA requirements?
A: They should treat NHI governance as part of operational resilience, not a separate IAM task. That means discovery, ownership, privilege review, rotation, and offboarding all need evidence trails that prove access decisions were controlled and timely. If the organisation cannot show that, DORA readiness remains fragile.
Q: Why do NHIs create such a difficult DORA compliance problem?
A: NHIs are difficult because they multiply faster than human accounts, often carry elevated privileges, and are managed inconsistently across cloud, SaaS, and vendor workflows. Those traits make it hard to prove who owns them, when they were last reviewed, and whether access still matches policy.
Q: What is the difference between IAM hygiene and DORA-ready identity governance?
A: IAM hygiene focuses on keeping accounts organized, while DORA-ready identity governance ties every access decision to risk, evidence, and operational continuity. The difference is whether identity controls can survive audit and incident pressure, not just whether accounts exist in a directory.
Q: Should organisations prioritise machine identities before human access reviews?
A: They should prioritise both, but machine identities often deserve immediate attention because they are numerous, long-lived, and under-reviewed. If service accounts and keys are unmanaged, human access reviews alone will not close the largest exposure paths.
Technical breakdown
Why identity becomes a resilience control under DORA
DORA does not name identity as a standalone control category, but its requirements depend on it. Strong authentication, traceable access decisions, timely revocation, third-party oversight, and incident evidence all rely on identity data being accurate and current. When identity records are fragmented, resilience testing and incident reporting become weak because the institution cannot show who had access, why it was granted, or when it changed. The control problem is therefore not only access management, but evidence quality across the identity lifecycle.
Practical implication: Map identity governance outputs directly to resilience and audit evidence, not just to account administration.
Machine identities and vendor identities expand the control surface
Financial environments now depend on service accounts, API keys, certificates, and federated vendor access as much as on human logins. These non-human identities often carry broader privileges, longer lifetimes, and weaker review processes than employee accounts. That makes them structurally harder to govern under a resilience model because compromise can persist unnoticed and privilege can outlive the business need. The technical issue is lifecycle discipline: discovery, ownership, rotation, and offboarding must be visible for every identity type, not only users.
Practical implication: Extend inventory, review, and revocation controls to every machine and third-party identity in scope.
Why manual access reviews fail under audit pressure
Spreadsheets, email approvals, and periodic review cycles break down when a regulator expects continuous traceability. Manual processes create gaps between policy intent and actual entitlements, especially where cloud roles, SaaS permissions, and vendor federations change quickly. They also make it hard to correlate an access event with a rationale, a risk score, or a compensating control. Under DORA, the technical weakness is not merely inefficiency. It is the inability to produce consistent evidence at the pace operations demand.
Practical implication: Automate entitlement review, revocation, and evidence capture so audit trails are built during operation, not reconstructed afterward.
Breaches seen in the wild
- Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
- Reviewdog GitHub Action supply chain attack — reviewdog/action-setup GitHub Action supply chain attack exposed secrets.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Identity is no longer a supporting control in financial services. It is the mechanism through which DORA becomes testable, auditable, and enforceable. If an institution cannot show who had access, why it existed, and how quickly it was removed, it cannot credibly argue resilience. The governance layer is therefore the control plane for compliance, not an afterthought. Practitioners should treat identity evidence as part of resilience architecture, not as administrative output.
Machine identity sprawl is the least visible DORA risk because it combines privilege, persistence, and weak ownership. Service accounts, keys, and certificates often live longer than the workloads they support, which means compromise can survive normal human review cycles. The field needs a tighter lifecycle model for NHI inventory, rotation, and offboarding. Practitioners should assume the machine identity estate is larger and less governed than the human estate.
Third-party identity creates a trust gap that cannot be solved by onboarding checks alone. DORA raises the bar from initial assurance to continuous oversight, which means vendor access must be monitored for privilege drift, contract changes, and evidence quality over time. That shifts the discipline from point-in-time approval to persistent control verification. Practitioners should re-evaluate whether their partner access model can survive ongoing scrutiny.
Continuous access governance is the practical alternative to periodic compliance theatre. When review cycles are slow, controls become retrospective and discover problems only after privileges have already expanded. DORA rewards institutions that can connect access decisions to policy, risk, and revocation in near real time. Practitioners should move from scheduled review events to continuous governance workflows.
Identity security posture management is becoming the named concept behind operational resilience for NHIs. The value of that framing is that it links discovery, privilege, lifecycle, and audit evidence into one governance model. Financial entities should use that model to unify IAM, NHI, and resilience teams around a single control narrative. Practitioners should measure whether their identity posture is actually defensible under audit, not merely documented.
From our research:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing that revocation lag is still a material control gap.
- See Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for the lifecycle controls that close rotation and offboarding gaps.
What this signals
Identity blast radius: financial entities should now judge identity controls by how quickly they reduce exposure after access changes, not by how many accounts are in scope. In a DORA context, that means continuous review, fast revocation, and evidence retention become operational requirements rather than back-office tasks.
The governance signal is clear: institutions that cannot connect entitlement changes to policy and audit evidence will struggle to prove resilience under DORA. Teams should combine identity posture management with frameworks such as the NIST Cybersecurity Framework 2.0 to align identity controls with govern, protect, detect, and respond outcomes.
If machine and third-party identities remain outside the same review cadence as employees, the control model will keep failing where regulators look hardest. That is why the NHI estate needs its own inventory, ownership, and revocation discipline, anchored to the Ultimate Guide to NHIs.
For practitioners
- Build a DORA identity control map Map human, machine, and third-party identities to the DORA obligations they support, then identify where access, rotation, and evidence are missing.
- Inventory all non-human identities with ownership Create a complete service account, API key, certificate, and workload identity inventory with an accountable owner and review cadence for each record.
- Automate lifecycle revocation and rotation Replace manual key and account cleanup with automated revocation workflows, continuous rotation policies, and offboarding checks tied to contract or role changes.
- Create audit-ready evidence paths Preserve access rationale, entitlement changes, and control outcomes in a form that can be exported quickly during a DORA review or incident investigation.
- Monitor third-party access continuously Track vendor federation, privilege drift, and authentication behaviour over time instead of relying on onboarding questionnaires and annual recertification.
Key takeaways
- DORA turns identity from an operational convenience into a resilience control that auditors can test.
- Machine identities, vendor federation, and manual access reviews create the biggest evidence gaps in regulated environments.
- Financial entities need continuous identity governance, not periodic cleanup, if they want DORA-ready control and traceability.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | DORA identity governance depends on controlled access and review of entitlements. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Rotation and revocation gaps in machine identities match NHI lifecycle risk. |
| NIST AI RMF | Identity-backed evidence and accountability support governed AI and automation use. |
Map identity controls to PR.AC-4 and automate reviews, revocation, and evidence capture.
Key terms
- Non-Human Identity: A non-human identity is any credentialed entity that acts on behalf of software, infrastructure, or automation rather than a person. Service accounts, API keys, tokens, certificates, and AI agents all fit this category, and they require explicit ownership, lifecycle control, and auditability.
- Identity Security Posture Management: Identity Security Posture Management is the continuous discovery and assessment of identity risk across users, machines, and access pathways. It focuses on visibility, privilege exposure, lifecycle weakness, and control drift so teams can reduce identity risk before it becomes a compliance or incident problem.
- Identity Threat Detection and Response: Identity Threat Detection and Response is the monitoring and response discipline that looks for suspicious behaviour in identity activity. It correlates authentication, privilege use, and access patterns to spot abuse such as token theft, privilege escalation, or anomalous vendor access.
What's in the full article
Unosecur's full blog covers the operational detail this post intentionally leaves for the source:
- Control-by-control explanation of how the nine identity risks map to DORA expectations in financial services
- Operational examples for human, machine, and third-party identity governance across regulated environments
- Behaviour-based privilege scoring and lifecycle automation details for teams trying to reduce manual review load
- Evidence reporting patterns that help compliance teams prepare for audit and incident response
👉 Unosecur's full blog covers the nine identity risks and the operational model behind them
Deepen your knowledge
DORA identity governance is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building resilience controls for regulated environments, it is worth exploring.
Published by the NHIMG editorial team on 2025-12-09.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
