Healthcare NHI visibility shows why manual governance breaks at scale

At a glance

What this is: A healthcare provider’s hybrid environment exposed how NHI sprawl, stale credentials, and weak ownership become unmanageable without unified visibility and automation.

Why it matters: IAM teams need a governance model that spans NHI, human identity, and lifecycle processes because scale alone can turn routine access issues into persistent attack surface.

By the numbers:

• An initial analysis of their Azure environment revealed 133 service principals hadn’t been used in over 30 days.
• 46 privileged secrets hadn’t been rotated in months.

👉 Read Oasis Security's case study on achieving comprehensive NHI visibility in healthcare

Context

Hybrid cloud identity programmes fail when teams cannot see the full population of non-human identities, especially when certificates, service accounts, and API keys are distributed across cloud and on-premises systems. In this case, the problem was not a single control failure but the combination of scale, manual processes, and unclear ownership across a fast-growing NHI estate.

For IAM practitioners, the governance question is straightforward: if you cannot enumerate, attribute, and rotate identities at the pace they are created, you do not have control. The provider’s starting point is typical of large hybrid environments, where NHI sprawl outpaces the security operating model.

Key questions

Q: What breaks when non-human identities are not fully visible across hybrid environments?

A: When NHIs are not fully visible, teams lose the ability to identify stale accounts, over-privileged access, and unused credentials before they become exposure. Visibility gaps also delay ownership assignment and make remediation manual. In practice, incomplete inventory turns governance into reactive cleanup instead of a controlled lifecycle process.

Q: Why do service accounts and secrets with standing access increase risk in cloud environments?

A: Standing access increases risk because dormant credentials remain valid even when the business no longer needs them. In cloud environments, that creates a wider attack surface, makes compromise easier to sustain, and slows containment. The longer a privileged secret lives without rotation or revocation, the more likely it is to be abused.

Q: What do security teams get wrong about NHI ownership in hybrid estates?

A: Teams often treat ownership as an administrative label instead of an enforceable control. Without a named owner, access reviews, exception handling, and decommissioning stall. Governance only works when ownership is specific enough that someone is responsible for approving, monitoring, and retiring each identity.

Q: Who is accountable when an inactive non-human identity is still present after business use has ended?

A: Accountability should sit with the identity owner and the operating team responsible for lifecycle enforcement, but the broader organisation is accountable for allowing the control gap to persist. Frameworks such as the NIST Cybersecurity Framework 2.0 reinforce that identity governance is an ongoing responsibility, not a one-time setup.

Technical breakdown

Why fragmented NHI visibility breaks hybrid governance

Non-human identity visibility is the ability to inventory every service principal, service account, certificate, and secret across cloud and on-premises systems in one control plane. Without that inventory, security teams cannot distinguish active from stale identities, cannot assign ownership reliably, and cannot see privilege concentration across subscriptions, vaults, and platforms. In hybrid environments, the visibility problem is compounded because cloud-native telemetry and legacy systems rarely share the same identity metadata. The result is blind remediation: teams chase symptoms instead of controlling exposure.

Practical implication: establish a single NHI inventory with ownership and usage metadata before trying to optimise privilege or rotation.

How stale credentials and unrotated secrets enlarge attack surface

A stale credential is still a valid credential until it is revoked or rotated, which means unused identities often remain exploitable long after business need has ended. In this case, service principals that had not been used for more than 30 days and secrets that had not been rotated in months show the classic NHI failure mode: credential persistence without lifecycle enforcement. This is where NHI governance intersects with Zero Trust, because trust should be time-bounded and state-aware rather than inherited from past provisioning decisions.

Practical implication: tie secret rotation and decommissioning to usage thresholds, not calendar assumptions alone.

Why ownership and automated decommissioning matter for NHI lifecycle

Ownership gaps are a governance failure, not just an operations inconvenience. When an identity has no clear owner, access reviews, exception handling, and decommissioning all slow down or stop entirely. The article’s automatic decommissioning step matters because it converts inactivity into an actionable lifecycle event, creating tickets and alerts when privileged service accounts cross a defined threshold. That is the difference between passive inventory and enforceable lifecycle governance.

Practical implication: require named ownership for every NHI and automate deactivation workflows for inactive privileged identities.

Threat narrative

Attacker objective: The attacker objective is to exploit valid but stale non-human credentials to gain persistence and access through identities the organisation no longer actively monitors.

1. Entry is enabled by lingering NHI credentials, including unused service principals and unrotated secrets, that remain valid inside a hybrid Azure estate.
2. Escalation occurs when privileged NHI access persists without ownership or usage-based review, allowing over-privileged identities to remain available for misuse.
3. Impact is broader cloud and on-premises exposure, because stale identities expand the attack surface and make containment slower once compromise occurs.

Breaches seen in the wild

• IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Manual NHI governance collapses first at the visibility layer. When an organisation cannot see its full inventory of certificates, service accounts, and secrets, every downstream control becomes partial. That is why hybrid environments with tens of thousands of identities drift into unmanaged risk even before a breach occurs. The field should treat unified discovery as the first governance control, not an operational nicety.

Stale credential persistence is the named failure mode this case exposes. The organisation had 133 service principals unused for more than 30 days and 46 privileged secrets that had not been rotated in months. That is not a tooling gap alone, it is a lifecycle assumption failure: identities were treated as durable assets after the business had stopped relying on them. Practitioners should read this as evidence that access outlives accountability unless lifecycle enforcement is explicit.

Ownership is the control that turns inventory into governance. Without named accountability, access reviews become theoretical and decommissioning becomes ad hoc. This case shows why NHI programmes fail when they stop at discovery and do not assign an owner for every identity, especially in hybrid estates where cloud and on-premise teams share responsibility. The practical conclusion is that governance must attach responsibility to every identity, not just record it.

Automation is not a convenience layer, it is the only scalable response to NHI sprawl. A team of 18 security staff and roughly 50 IT operators cannot manually sustain lifecycle enforcement across more than 100,000 NHIs. The lesson for the market is that NHI governance is moving from detective reporting to policy-driven lifecycle execution, and practitioners should expect their operating model to absorb that shift.

Zero Trust breaks down when trust is still inherited from provisioning history. The NIST Cybersecurity Framework 2.0 frames identity as part of ongoing protect and detect functions, but this case shows that inherited access and dormant secrets violate that intent. Practitioners should treat time-based inactivity and secret age as governance triggers, not background noise.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
• Another finding from the same report shows that enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.
• For a broader breach pattern view, 52 NHI Breaches Analysis maps repeated control failures across real incidents.

What this signals

Stale credential governance will become a board-level operational issue, not just an IAM hygiene task. Once hybrid environments cross six figures in NHI volume, manual exception handling stops scaling and every unused secret becomes a latent control failure. Teams should expect usage telemetry, owner attribution, and automatic decommissioning to become core programme requirements rather than optional enhancements.

Credential age is emerging as a measurable risk signal. In a programme like this, a secret that has not been rotated in months tells you more than a broad compliance attestation does. If lifecycle evidence is weak, map the gap back to the NHI Lifecycle Management Guide and the NIST Cybersecurity Framework 2.0 so reporting and control design use the same language.

Hybrid identity programmes need a named concept for hidden lifecycle debt: stale credential persistence. It describes the accumulation of valid but inactive NHIs that remain reachable because ownership, rotation, and retirement are not enforced together. That concept is useful because it connects discovery, lifecycle, and accountability into one governance problem that practitioners can actually track.

For practitioners

• Inventory every NHI across hybrid estates Build a unified register for service principals, certificates, service accounts, and API keys across cloud and on-premises systems. Include owner, last-used timestamp, privilege level, and vault location so security teams can rank exposure instead of guessing.
• Enforce usage-based decommissioning Trigger deactivation when privileged identities cross defined inactivity thresholds, and require tickets plus alerts for every automatic disablement. This reduces dependence on manual review cycles that cannot keep pace with NHI growth.
• Rotate privileged secrets on policy, not memory Automate secret rotation for identities with elevated access and block exceptions from becoming permanent. Pair rotation with verification so teams can confirm that the new secret is actually in use and the old one is retired.
• Assign accountable owners to every identity Require a named business or technical owner for each NHI before it is allowed into production. If no owner can approve access, review exceptions, and accept retirement responsibility, the identity should be considered governance debt.

Key takeaways

• This case shows that NHI sprawl becomes ungovernable when visibility, ownership, and lifecycle control are handled separately.
• The scale matters: more than 100,000 NHIs, 50,000 certificates, and 10,000 service accounts created an identity estate that manual processes could not sustain.
• Usage-based decommissioning and enforced secret rotation are the controls most likely to reduce the attack surface in a hybrid environment.

Key terms

• Non-Human Identity: A non-human identity is any machine, workload, service account, token, certificate, or secret used to authenticate a system rather than a person. In governance terms, it is an identity object with lifecycle, ownership, and privilege that must be managed like any other access-bearing asset.
• Stale Credential Persistence: Stale credential persistence is the condition where a valid secret, certificate, or service account remains usable after its business purpose has ended. The control failure is not discovery alone but the absence of enforced rotation, revocation, or decommissioning tied to real usage.
• NHI Ownership: NHI ownership is the assignment of clear accountability for approving, monitoring, and retiring a non-human identity. It turns inventory into governance because someone is responsible for changes, exceptions, and lifecycle closure when the identity is no longer needed.
• Hybrid Identity Estate: A hybrid identity estate combines cloud and on-premises identity systems under one operational environment. For NHIs, this usually means certificates, service principals, and service accounts are distributed across tools and teams, which makes visibility and lifecycle enforcement harder unless controls are centralised.

Deepen your knowledge

NHI visibility, ownership, and lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a governance programme from a similar hybrid starting point, it is worth exploring.

This post draws on content published by Oasis Security: How a Healthcare provider gained comprehensive NHI visibility with Oasis. Read the original.