Federation, onboarding and certificate controls tighten NHI governance

At a glance

What this is: Raidiam’s 2025 review describes changes to federation, onboarding, certificates, and admin workflows that aim to make identity and trust operations more predictable.

Why it matters: For IAM and NHI practitioners, the update matters because it shifts control closer to configuration, validation, and auditability rather than manual coordination and support dependency.

By the numbers:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• Only 5.7% of organisations have full visibility into their service accounts.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

👉 Read Raidiam's year in review on federation, onboarding, and trust controls

Context

Open finance and federated identity ecosystems fail when trust decisions are scattered across manual processes, duplicated configuration, and weak validation. In NHI governance terms, that creates drift between who is allowed to act, what is actually configured, and what can be audited later.

Raidiam’s 2025 review is best read as a governance story about reducing that drift. The changes focus on federation-based onboarding, issuer uniqueness, certificate lifecycle visibility, and self-service administration, which are the control points that determine whether non-human identities remain manageable at scale.

The direction is typical for mature identity platforms facing ecosystem growth: fewer ad hoc interventions, more explicit policy checks, and more lifecycle evidence at the point of change. That is the right response when onboarding speed and trust assurance need to coexist.

Key questions

Q: How should IAM teams govern federated onboarding for applications and servers?

A: Start by treating federation metadata as part of the control plane, not as supporting documentation. Require explicit ownership for issuer values, claim mappings, and role metadata, and validate them before registration goes live. Federation improves consistency only when the trust inputs are controlled as tightly as the credentials they enable.

Q: Why do certificate lifecycle changes matter for NHI governance?

A: Certificates are non-human credentials with an operating life, so issuance alone is not enough. Governance depends on revocation, revalidation, and visibility into whether the certificate is still trusted by the issuing authority. If those checks lag, the organisation keeps stale access paths alive after the credential should have been removed.

Q: What is the difference between self-service administration and safe delegated control?

A: Self-service administration changes who can make updates. Safe delegated control adds validation, logging, and rollback so those updates cannot silently weaken policy. For NHI governance, that difference matters because delegated configuration often touches trust, access, and auditability at the same time.

Q: When does onboarding automation create more risk than it removes?

A: Automation becomes risky when it speeds up incorrect trust decisions. If onboarding flows do not force issuer uniqueness, federation metadata checks, and certificate validation, they can scale misconfiguration just as efficiently as they scale good practice. The threshold is whether the workflow catches errors before trust is established.

Technical breakdown

OpenID Federation and application onboarding

OpenID Federation replaces ad hoc client registration with signed entity statements, entity configurations, and federation lists. In practice, that means an application can be validated through the trust fabric rather than only through local registration records. For NHI governance, the important distinction is that federation adds a structured trust path, but it also increases dependence on correct issuer, claim, and metadata handling. If those fields are inconsistent, the resulting identity cannot be reliably governed across participating organisations.

Practical implication: Treat federation metadata as security-critical configuration and validate it with the same rigor as credentials.

Certificate lifecycle control and automatic revalidation

Certificate governance is only as strong as its revocation and rescan loop. When a platform rechecks certificates against issuing authorities and marks revoked material as inactive, it closes part of the gap between external state and internal visibility. The core control problem is that certificates are NHI credentials, not static assets. If their status is not continuously reconciled, revoked or expired trust material can persist in downstream workflows, dashboards, and approvals.

Practical implication: Build certificate checks into operational workflows so revoked trust material is removed from use quickly.

Issuer validation and configuration drift in trust services

Authorisation servers rely on unique issuer values because issuer claims anchor token validation and federation trust. If two servers can share the same issuer, the result is ambiguity that weakens authentication and makes auditing unreliable. Requiring issuer entry at creation time and blocking duplicates reduces that risk by turning trust identity into an explicit control rather than a hidden assumption. For NHI systems, uniqueness checks are not just hygiene, they are integrity controls.

Practical implication: Enforce uniqueness on issuer and trust identifiers before any server goes live.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Federated onboarding reduces manual identity drift, but only if metadata is treated as a control plane asset. The value of federation is not simplicity for its own sake, it is consistency across many relying parties and authorities. That consistency disappears if entity metadata, claims, and issuer values are allowed to diverge. Practitioners should treat federation records as governed identity objects, not routine configuration.

Certificate visibility is still an NHI problem, not just a PKI problem. Certificates are credentials with lifecycle risk, so soft delete, immediate download, and automatic rescans all affect exposure. If revocation is not reflected quickly in operational systems, the organisation inherits stale trust. The governance lesson is straightforward: certificate controls need ownership, auditability, and removal paths, not only issuance.

Self-service administration can strengthen security when it narrows the support gap, but it also raises the need for policy guardrails. Letting organisation administrators manage flags, contacts, and reference data removes bottlenecks, which is useful in ecosystem operations. The risk is policy sprawl if those changes are not constrained by explicit validation and audit trails. Teams should expand self-service only where the control logic remains enforced.

Identity blast radius: the practical challenge is no longer onboarding speed alone, but how far one bad configuration can propagate. The more a platform allows delegated setup across organisations, applications, servers, and certificates, the more important it becomes to bound error propagation. That is the real NHI governance test here. Practitioners should measure not just completion time, but the blast radius of a failed trust configuration.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which explains why identity governance often breaks down after onboarding.
• For a broader lifecycle view, the Ultimate Guide to NHIs shows why rotation, offboarding, and auditability must be designed together.

What this signals

Identity blast radius: delegated onboarding and self-service administration will keep expanding, but the control question is whether a single bad trust decision can spread across an ecosystem. With 97% of NHIs carrying excessive privileges, per the Ultimate Guide to NHIs, the practical response is to harden validation before permission propagation, not after.

The next governance step for teams is to connect federation controls with lifecycle controls, especially around certificates, issuer values, and role metadata. That means aligning platform workflows with the NIST Cybersecurity Framework 2.0 functions for identify, protect, and detect, then proving that trust state is continuously reconciled.

Where ecosystems rely on external identity providers, the programme risk is not only access control but also operational visibility. NHI teams should expect more demand for audit-ready evidence, faster reconciliation, and clearer ownership across organisations, applications, servers, and certificates.

For practitioners

• Map federation metadata to governance ownership Assign explicit owners for entity statements, issuer values, claim mappings, and role metadata so federation changes are reviewed before they affect relying parties.
• Validate issuer uniqueness before activation Block duplicate issuer values in pre-production and production change flows, and require change records that explain why a server issuer was created or updated.
• Treat certificates as lifecycle-managed credentials Track issuance, revocation, soft delete, and revalidation together so certificate state in the platform matches the issuing authority.
• Limit self-service to policy-bounded configuration Allow organisation admins to adjust only those flags and reference data elements that have explicit validation, logging, and rollback paths.

Key takeaways

• Federation improves onboarding consistency only when metadata, issuer values, and trust objects are governed as security controls.
• Certificates remain non-human credentials with lifecycle risk, so revocation and revalidation must be operational, not advisory.
• Delegated administration scales well only when validation, logging, and rollback limit the blast radius of configuration mistakes.

Key terms

• Federation metadata: Federation metadata is the signed information that tells other parties how an identity or application should be trusted. In NHI governance, it becomes a control surface because issuer values, claim rules, and entity details determine whether registration and authentication behave correctly.
• Issuer validation: Issuer validation is the check that ensures a trust source is unique, consistent, and acceptable before it can be used. For non-human identities, it helps prevent conflicting token trust relationships and reduces ambiguity in authentication and audit records.
• Certificate lifecycle: Certificate lifecycle is the full sequence from creation to use, renewal, revocation, and removal from service. In identity governance, certificates are credentials, so lifecycle control determines whether trust remains accurate after a certificate changes state.
• Delegated administration: Delegated administration allows local operators to make approved configuration changes without waiting on a central platform team. It improves speed, but it only remains safe when permissions are narrow, changes are logged, and validation prevents policy drift.

Deepen your knowledge

Federation onboarding, certificate lifecycle control, and delegated identity administration are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is formalising governance around ecosystem identity, it is worth exploring.

This post draws on content published by Raidiam: Year in Review 2025. Read the original.