TL;DR: eSIM profiles act as digital SIM credentials that are created, delivered, installed, and eventually retired through a managed lifecycle, according to Workz Group. For identity teams, the key issue is that mobile device access now depends on a governed non-human credential chain, not a one-time provisioning event.
At a glance
What this is: This is an explainer on eSIM profiles and their lifecycle, with the central finding that mobile connectivity now depends on managed digital credentials and status transitions.
Why it matters: It matters because eSIM profiles behave like NHI credentials in practice, so identity, lifecycle, and offboarding controls need to extend into connected device and IoT programmes.
By the numbers:
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
👉 Read Workz Group's eSIM profile guide for the full lifecycle breakdown
Context
eSIM profile management is, at its core, identity and lifecycle management for connected devices. The profile carries the credentials and subscription data a device uses to authenticate to a mobile network, so the problem is not just connectivity but governed digital identity for the device.
That matters for mobile fleets, IoT deployments, and any programme that assumes subscriber access can be treated as a simple telecom setting. Once a profile can be allocated, linked, confirmed, downloaded, installed, released, and eventually retired, the security question becomes who controls that lifecycle and how revocation is enforced.
The article is a typical introductory explanation of eSIM operations, but the governance implications are not typical. It points to a broader shift in which device access depends on managed non-human credentials that must be tracked, scoped, and offboarded like any other identity artifact.
Key questions
Q: How should organisations govern eSIM profiles as identity credentials?
A: They should treat eSIM profiles as managed non-human identities tied to device access, not as a one-time telecom setting. That means assigning clear ownership, tracking lifecycle states, and linking provisioning and revocation to identity governance rather than to ad hoc device support processes. The goal is to keep profile access aligned to business need across the full device lifecycle.
Q: Why do eSIM profiles create lifecycle risk for connected devices?
A: Because the profile can remain active or reusable after the device relationship changes if no one is tracking its state. The risk is not only initial provisioning but also stale access, orphaned profiles, and incomplete offboarding. In fleet environments, that can leave network access attached to devices or subscriptions that should no longer exist.
Q: What breaks when organisations cannot see eSIM profile status accurately?
A: They lose the ability to tell whether a profile is active, pending, installed, or effectively retired. That makes it difficult to prove which devices are authorised, which subscriptions are still valid, and which credentials should be revoked. Without accurate status visibility, lifecycle governance becomes guesswork rather than control.
Q: Who should own eSIM profile offboarding in an enterprise?
A: Ownership should sit with the team responsible for identity or device lifecycle governance, not solely with network operations. When subscriptions, devices, or vendors change, someone must be accountable for making profiles unavailable and confirming that access has been removed. That accountability is what prevents lingering credential exposure in connected fleets.
Technical breakdown
What an eSIM profile actually represents
An eSIM profile is the digital equivalent of the subscription data that used to live on a removable SIM card. It contains the information a device needs to authenticate to a network, including subscriber identity, service entitlements, and network parameters. Because the profile is delivered digitally, it becomes a managed credential object rather than a static hardware attribute. That changes the security model: access is now mediated through provisioning, delivery, and status changes. For identity practitioners, this makes the profile closer to a non-human identity artifact than a consumer convenience feature.
Practical implication: Treat eSIM profiles as governed credentials, not just telecom configuration.
Why SM-DP+ matters in the identity chain
The SM-DP+ platform creates, encrypts, and packages the profile before delivery to the eUICC. In other words, it is the preparation and distribution point for a device identity credential. The formats described in the article, from unprotected to protected, bound, and segmented packages, show a control chain where the profile changes state before it ever reaches the endpoint. That chain matters because every transition is a potential exposure point if encryption, binding, or delivery authorization is weak. The same lifecycle logic used for other NHI types applies here.
Practical implication: Map SM-DP+ responsibilities to credential preparation, protection, and traceability controls.
Why eSIM status transitions are a lifecycle control problem
The profile states, available, allocated, linked, confirmed, released, downloaded, installed, error, and unavailable, describe a full lifecycle, not a one-time activation. Each state marks a governance condition: whether the profile can be reused, whether it is tied to a device EID, and whether installation has completed. That creates a lifecycle management requirement similar to joiner-mover-leaver discipline for other identities. The control gap is not the presence of an eSIM, but whether organisations can see where a profile sits in its lifecycle and revoke it when the relationship changes.
Practical implication: Build lifecycle visibility and revocation checkpoints around every eSIM status change.
NHI Mgmt Group analysis
eSIM profile governance is NHI governance for connected devices. The profile contains the credentials a device uses to authenticate, so its lifecycle must be managed as a non-human identity lifecycle rather than treated as a network support function. This aligns naturally with the NHI lifecycle model and with identity governance programmes that already manage service accounts, tokens, and certificates. Practitioners should recognise eSIM profiles as a governed identity object, not a telecom abstraction.
Profile status drift creates an identity visibility problem, not just an operational one. Available, allocated, linked, confirmed, downloaded, installed, and unavailable are lifecycle states with security meaning. If teams cannot reconcile those states with the actual device estate, they cannot prove which profiles are active, dormant, or effectively retired. That is a governance failure that looks operational on the surface but is really a lifecycle assurance gap. Practitioners should measure state visibility with the same seriousness as other NHI inventories.
Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs: eSIM management fits the same lifecycle logic as other non-human credentials. A device profile is provisioned, used, and eventually retired, which means revocation, traceability, and ownership are not optional extras. The article reinforces a broader field position: connected-device identity needs formal lifecycle ownership, not ad hoc telecom administration. Practitioners should place eSIMs under the same accountability model as other machine credentials.
Boundary management is the real control problem in eSIM programmes. The article shows that profiles are created centrally, bound to a device, and then reused only within strict lifecycle constraints. That means entitlement scope, device binding, and offboarding rules all have to stay aligned as fleets change. When they do not, access outlives the business need that justified it. Practitioners should expect identity drift unless lifecycle controls are explicit.
eSIM maturity will increasingly be judged by revocation discipline, not activation success. Organisations can no longer define success as simply getting a device online. The harder question is whether the profile can be tracked, reassigned, and removed without leaving residual access behind. That aligns with broader NHI governance expectations and pushes mobile-device programmes toward formal offboarding discipline. Practitioners should assess eSIM operations by retirement quality as much as by provisioning speed.
From our research:
- NHIs outnumber human identities by 25x to 50x in modern enterprises, according to the Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why lifecycle status tracking matters before access sprawl becomes unmanageable.
- NHI Lifecycle Management Guide shows how provisioning, rotation, and offboarding need to work together when identity is non-human.
What this signals
Profile lifecycle visibility will become a baseline requirement for connected-device governance. As fleets grow, teams will need a control view that shows where each profile sits in its lifecycle and who can retire it. Without that, eSIM operations will keep producing hidden access that is difficult to reconcile during audits or offboarding.
The practical shift is toward treating eSIM management as part of the broader identity programme, not as a separate telecom workflow. That means using the same governance language for allocation, binding, revocation, and retirement that already exists for other non-human credentials. For teams building this capability, NHI Lifecycle Management Guide is the natural next resource, and the control model aligns with NIST SP 800-207 Zero Trust Architecture.
For practitioners
- Classify eSIM profiles as identity assets Place eSIM profiles under identity governance ownership so that creation, allocation, reuse, and retirement are tracked as lifecycle events, not just telecom events.
- Reconcile profile state to device inventory Build a control that maps available, allocated, linked, downloaded, installed, and unavailable profiles to the live device estate so dormant or orphaned profiles are visible.
- Define revocation criteria for lost or reassigned devices Document the conditions under which a profile must be released, reissued, or made unavailable, and ensure those triggers are linked to offboarding and device replacement workflows.
- Extend offboarding to connected device credentials Treat eSIM retirement as part of joiner-mover-leaver governance for devices and fleets, with explicit ownership for revoking access when a subscription or device relationship ends.
Key takeaways
- eSIM profiles are identity credentials for devices, so their lifecycle must be governed like any other non-human identity.
- The real control issue is not profile creation but visibility across status changes, binding, reuse, and retirement.
- Connected-device programmes need offboarding discipline, or eSIM access can outlive the business need that justified it.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207), NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | The article centres on governed lifecycle handling for device credentials. |
| NIST Zero Trust (SP 800-207) | eSIM access depends on continuous identity assurance for devices. | |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access applies to profile assignment and reuse. |
| NIST SP 800-53 Rev 5 | IA-5 | Profile credentials and related secrets need formal management. |
Apply authenticator management discipline to issuance, rotation, and retirement of profile credentials.
Key terms
- eSIM Profile: A digital subscriber profile that replaces the physical SIM card’s stored network identity. It contains the credentials and service settings a device uses to authenticate with a mobile network, which makes it a governed identity object rather than a simple configuration file.
- SM-DP+: The subscription management platform that delivers and manages eSIM profiles. In IoT provisioning, it is the system that must interpret device requests correctly, which means format compatibility and lifecycle support matter as much as nominal standards compliance.
- eUICC: The embedded secure element inside a device that stores and runs the eSIM profile. It is the endpoint of the profile lifecycle, where binding and installation matter because the credential becomes usable only once it is accepted by the device’s secure hardware.
- Profile lifecycle management: Profile lifecycle management is the controlled creation, assignment, update, recycling and retirement of digital eSIM profiles. It matters because profile reuse, obsolescence and compatibility issues can create both customer friction and governance gaps if inventory and issuance rules are not actively maintained.
What's in the full article
Workz Group's full blog covers the operational detail this post intentionally leaves for the source:
- Step-by-step explanation of each eSIM profile state from available to unavailable.
- Technical description of how SM-DP+ prepares and packages the profile for delivery.
- Practical view of how QR code, activation code, and direct network download fit into provisioning.
- Lifecycle context for how profile statuses signal warnings, errors, and retirement conditions.
👉 The full Workz Group post covers profile states, packaging formats, and device delivery details.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org