NHI access review campaigns expose the governance gap in IAM

TL;DR: Access review campaigns for non-human identities can close a long-standing IAM gap by applying scoped certification, ownership routing, and audit logging to service accounts, API keys, and machine tokens, according to Entro Security. The governance problem is bigger than review cadence: NHIs need structured accountability because traditional human-centric workflows do not map cleanly to them.

At a glance

What this is: This is an analysis of how access review campaigns extend familiar IAM attestation workflows to non-human identities and why that matters for governance.

Why it matters: It matters because service accounts, API keys, and machine tokens often outgrow human-centric review models, leaving ownership, accountability, and audit evidence incomplete.

👉 Read Entro Security's access review campaign analysis for non-human identities

Context

NHI access reviews are the governance control most teams still under-apply to service accounts, API keys, and machine tokens. Human identity certification is usually scheduled, owned, and auditable, but non-human identity review often remains reactive and tied to incidents, audits, or offboarding.

That gap becomes operational quickly in cloud and CI/CD environments, where ownership is distributed and credentials can outlive the people or systems that created them. An effective access review programme for NHIs is not just a compliance exercise, it is a way to reduce hidden privilege, improve accountability, and create defensible audit evidence.

Key questions

Q: How should security teams run access reviews for non-human identities?

A: Start with risk-based scoping, not a blanket inventory. Prioritise orphaned, idle, exposed, and over-privileged identities, then route each item to a real owner who can act. The goal is a tracked decision and a complete audit trail, not just a completed review form.

Q: Why do non-human identities make access certification harder than human identities?

A: NHIs often lack a manager, are shared across systems, and are created outside HR-driven processes. That means ownership has to be resolved through application, team, or system accountability. Without that step, certification becomes paperwork rather than governance.

Q: What is the difference between human identity reviews and NHI access reviews?

A: Human identity reviews usually rely on manager attestation and organisational hierarchy. NHI reviews need operational ownership, risk-based scoping, and evidence of remediation because service accounts and tokens do not fit the same reporting model.

Q: When should organisations review service accounts and API keys?

A: Review them whenever risk changes, not only on a fixed calendar. Trigger reviews after offboarding, privilege changes, exposure events, failed rotation, or signs of idle use. A calendar cycle is useful, but event-driven review catches the highest-risk drift faster.

Technical breakdown

How NHI access review campaigns work in practice

An NHI access review campaign is a structured attestation workflow built around a defined identity scope. Instead of asking managers to certify employees, the campaign identifies a population of service accounts, API keys, or tokens, routes review tasks to accountable owners, and records the outcome of each action. The technical value is not the review itself, but the combination of scoping, ownership resolution, actionability, and logging. For NHIs, those four elements are harder because identity records are often disconnected from HR systems and do not have a natural manager relationship. That is why campaign design has to be risk-based and operationally traceable.

Practical implication: Use campaign templates and custom filters to scope NHIs by exposure, age, privilege, or compliance risk, then force every item into a tracked owner workflow.

Why ownership resolution is the hard part for NHIs

NHIs break the normal IAM assumption that every identity belongs to a person or team with a clean reporting line. A service account may be shared across pipelines, an API key may be embedded in application logic, and a token may be created by one team but used by another. Because of that, the review process often stalls on attribution, not on remediation. The real mechanism behind campaign success is therefore identity accountability, which means finding a person or team that can actually act. Without that, attestation becomes documentation without governance.

Practical implication: Build owner resolution into the workflow so unresolved NHIs escalate quickly instead of sitting in a pending state.

What audit trails must capture for non-human identity reviews

For NHI governance, the audit record has to show more than pass or fail. It should capture what was in scope, who reviewed it, what action was taken, when it happened, and whether the action was direct or routed to an owner. That creates a chain of custody for access decisions, which is essential when auditors ask why a token stayed active or why a privilege was retained. Good logging also supports repeatable review cycles, because the next campaign can reuse the same evidence model instead of rebuilding history from tickets and chat logs.

Practical implication: Treat campaign logs as governance evidence and make them complete enough to support audit, remediation, and the next review cycle.

NHI Mgmt Group analysis

Access review is the missing control plane for NHI governance. Most organisations already understand certification in the human identity context, but they still treat service accounts and tokens as exceptions. That creates unmanaged privilege persistence, especially where credentials outlive their creators or are shared across systems. The practical conclusion is simple: if a control works for people but not for NHIs, it is incomplete.

NHI campaigns succeed only when ownership becomes operational, not theoretical. A non-human identity rarely has a manager, and that means governance must resolve accountability through system, application, or team ownership. This is not a reporting problem alone. It is a workflow problem that determines whether access is reviewed, remediated, or ignored.

Campaigning NHIs turns scattered remediation into repeatable governance. Reactive cleanup after incidents or audits does not scale once machine identities multiply across cloud and CI/CD environments. A structured campaign model gives security teams a way to prioritise by risk, route action to the right owner, and preserve evidence. The discipline matters because access review without repeatability is just manual triage with a compliance label.

Identity review for NHIs should be risk-scoped, not calendar-scoped. Quarterly or annual cycles may satisfy process requirements, but they do not reflect how quickly tokens, keys, and service accounts drift from intended use. Risk-based scoping lets teams focus on orphaned, idle, exposed, and over-privileged identities first. The conclusion for practitioners is to use campaign design as a control for blast radius, not only as a reporting exercise.

Structured NHI attestation is becoming a baseline requirement for modern IAM. As machine identities multiply, the gap between human and non-human governance becomes harder to defend in audit and harder to justify in security reviews. Teams that cannot show who owns access, what was reviewed, and what changed will struggle to prove control. The field is moving toward explicit NHI review workflows, and practitioners should treat that as core governance rather than optional hygiene.

From our research:

• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
• From our research: 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
• From our research: For broader context on governance and lifecycle control, see Ultimate Guide to NHIs, which ties review, rotation, and offboarding into one control model.

What this signals

NHI access review campaigns will increasingly become the control that separates inventory from governance. Teams can list machine identities today, but listing alone does not prove accountability or reduce risk. The next maturity step is to tie review outcomes to lifecycle controls, escalation paths, and evidence that survives audit.

Identity sprawl is turning ownership resolution into a standing programme requirement. As NHIs multiply across cloud, SaaS, and CI/CD, the manual chase for the right owner becomes too slow to rely on ad hoc effort. Teams should align campaign workflows with the Ultimate Guide to NHIs and use them to enforce responsibility before privilege persists.

Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities, according to The 2024 Non-Human Identity Security Report. That confidence gap means the programme challenge is not awareness alone, but repeatable control design. Practitioners should expect NHI review automation to move from optional improvement to baseline governance.

For practitioners

• Scope NHI campaigns by risk first Prioritise orphaned, idle, non-expiring, exposed, and high-privilege identities before broad sweeps. Risk-based scoping reduces review fatigue and helps teams focus remediation where it lowers blast radius fastest.
• Resolve ownership before sending any review task Map each NHI to an accountable person or team that can act on it, even when the identity is shared across systems. If ownership is unclear, route the item into an exception queue with a deadline and escalation path.
• Log the full chain of custody for every decision Capture the in-scope identity, reviewer, action taken, timestamp, and remediation status in a durable audit trail. That record should support both audit response and the next campaign cycle without reconstruction from chat or tickets.
• Separate direct admin actions from owner follow-up Let administrators rotate, disable, or reassign where they have authority, then push only unresolved items to owners with clear instructions. This keeps campaigns moving and prevents avoidable backlog.

Breaches seen in the wild

• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

Key takeaways

• NHI access reviews close a governance gap that human-centric IAM workflows still leave open.
• Ownership resolution and auditability matter more than the review event itself for machine identities.
• Risk-scoped campaigns give teams a repeatable way to reduce privilege drift and prove control.

Key terms

• NHI Access Review Campaign: A structured review workflow for non-human identities such as service accounts, API keys, and tokens. It scopes a set of identities, assigns accountable reviewers, and records remediation outcomes so access decisions are auditable and repeatable across cycles.
• Identity Ownership Resolution: The process of finding the person, team, or system responsible for a non-human identity. It matters because many NHIs do not map cleanly to an org chart, and without a real owner, review tasks and remediation actions stall or disappear.
• Audit Trail for NHI Governance: A durable record of what was reviewed, who acted, what changed, and when it changed. In NHI programmes, audit trails are not just compliance artifacts. They are the evidence that access decisions were actually executed and can be reconstructed later.

What's in the full article

Entro's full blog covers the operational detail this post intentionally leaves for the source:

• The step-by-step campaign workflow for scoping NHIs into review cohorts
• The admin action paths for rotating, disabling, approving, or reassigning identities
• The owner-facing review experience, including targeted views and campaign notes
• The status tracking model used to preserve remediation progress and audit evidence

👉 The full post shows how campaign workflows map to direct remediation and owner follow-up

Deepen your knowledge

NHI access review campaigns are covered in the NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building governance for service accounts, API keys, and machine tokens, it is a practical place to start.