By NHI Mgmt Group Editorial TeamDomain: Governance & RiskSource: Identra.aiPublished June 26, 2026

TL;DR: NHI maturity is rarely uniform, and an assessment matrix splits governance into six dimensions spanning discovery, lifecycle, authentication, authorization, runtime, and delegation so teams can score each on evidence rather than optimism, according to Identra.ai. The core implication is that governance collapses when organisations treat visibility as maturity and ignore the accountability gap between discovered identities and governed identities.


At a glance

What this is: This is a maturity-assessment framework for non-human identity programmes, and its key finding is that organisations are usually advanced in some controls while remaining immature in others.

Why it matters: It matters because IAM, IGA, PAM, and NHI teams need separate evidence for discovery, lifecycle, privilege, runtime containment, and delegation instead of relying on a single headline score.

By the numbers:

👉 Read Identra.ai's assessment of the NHI maturity matrix and scorecard


Context

NHI maturity is not a single control state. A programme can have decent discovery and still fail at lifecycle accountability, or manage authentication well while having little real visibility into runtime use, effective privilege, or delegation. That is why the strongest assessment models score each dimension independently instead of collapsing everything into one maturity label.

For identity teams, the practical question is whether evidence exists for coverage, privilege, runtime containment, and ownership, not whether the environment “feels” governed. That aligns with the wider NHI lifecycle problem described in the Ultimate Guide to NHIs and the NHI Lifecycle Management Guide, where provisioning, rotation, and offboarding are often weaker than visibility claims suggest.

The article’s starting position is typical for real enterprise programmes: maturity is uneven, and the gaps usually show up where a human review process is asked to validate machine-scale identity sprawl.


Key questions

Q: How should security teams score NHI maturity without hiding weak controls?

A: Score each control domain separately, using evidence for discovery, lifecycle, authentication, authorization, runtime, and delegation. Do not collapse the result into one average score, because a programme can be strong in inventory and still fail at revocation, containment, or delegated authority. Separate scores make the control gaps visible enough to fix.

Q: Why do NHI programmes often look more mature than they are?

A: They often measure visibility instead of control. Seeing an identity in inventory does not prove ownership, revocation, or containment, and that gap is where many programmes overstate maturity. Real maturity requires proof that the organisation can assign accountability and stop high-risk behaviour when needed.

Q: What breaks when delegated NHI access is treated like a normal account?

A: Account ownership, task context, and stop authority all become ambiguous. Delegated access needs a sponsor, a defined purpose, and a tested path to shut it down. If those are missing, the organisation may know who created the access but not who can control it during an incident.

Q: How can organisations tell whether runtime identity controls are actually working?

A: Look for evidence that unsafe access attempts are being blocked, stepped up, or constrained at the point of use. If the programme only produces reports, alerts, or post-event findings, then it is measuring risk rather than controlling it. The key signal is whether the access path changes in response to policy.


Technical breakdown

Why NHI maturity must be scored by dimension, not by one headline level

A useful maturity model separates discovery, lifecycle, authentication, authorization, runtime observation, and delegation because each dimension has a different failure mode. Discovery asks whether the organisation can find identities. Lifecycle asks whether it can assign ownership and revoke access. Runtime asks whether it can observe and contain misuse. Delegation asks whether agent-to-tool relationships are explicitly governed. Collapsing these into one score hides the fact that a programme can look mature in one row and remain ad hoc in another.

Practical implication: score each dimension on its own evidence and avoid averaging away serious control gaps.

What the maturity matrix reveals about discovery, privilege, and runtime control

The matrix is strongest when it forces teams to compare discovered identities with governed identities, granted permissions with observed use, and visibility with enforceable response. In NHI terms, those are separate questions. An identity can be discovered but not owned, privileged but unused, or observable but not containable. That distinction matters because most operational risk comes from the gap between what security can see and what it can actually stop.

Practical implication: build metrics for observed use, revocation path, and enforceable containment, not just inventory counts.

How delegation governance changes the NHI control model

Delegation is the frontier where ordinary NHI governance becomes insufficient. Once an identity can act on behalf of another principal, the programme needs tested sponsor relationships, clear task context, and a kill switch that is actually exercised. This is not the same as account ownership. It is a governance layer for chains of responsibility that may cross applications, environments, and operating teams. Without that layer, accountability can be asserted on paper but not demonstrated in a live incident.

Practical implication: inventory delegated principals separately and test who can stop them before escalation paths are needed.


NHI Mgmt Group analysis

Uneven NHI maturity is the normal state, not an exception. The article is right to reject the idea that one maturity label can describe an entire non-human identity programme. Discovery, lifecycle, authentication, authorization, runtime, and delegation fail in different ways, so organisations that report a single score are usually hiding variation rather than managing it. The practitioner conclusion is to measure capability by control domain, not by overall comfort level.

Discovery without lifecycle accountability is a false maturity signal. The matrix correctly separates knowing an identity exists from knowing who owns it, when it expires, and how it is revoked. That distinction is central to NHI governance because visibility alone does not stop a service account, token, or delegated principal from persisting after its business purpose ends. The practitioner conclusion is to treat inventory as a starting point, not evidence of control.

Runtime observation and effective containment are the controls that separate visibility from security. A programme can monitor identities extensively and still fail to contain misuse when it matters. That is why runtime metrics such as detect, contain, and enforce matter more than passive logs. The practitioner conclusion is to test whether the organisation can actually interrupt high-risk NHI behaviour, not just notice it after the fact.

Delegation is the named concept that most identity scorecards still underspecify. The article’s agent frontier highlights a governance gap that many maturity models miss: who sponsors delegated action, who can stop it, and whether task context survives the handoff. This is where NHI governance starts to overlap with agentic oversight without becoming a generic automation problem. The practitioner conclusion is to separate delegated authority from simple account ownership.

Identity maturity cannot outrun accountability maturity. The article’s strongest insight is that a sophisticated identity stack still fails if ownership, revocation, and containment are not tested paths rather than assumed processes. That is the part board-level reporting often misses. The practitioner conclusion is to report maturity only where the organisation can prove control under operational pressure.

From our research:

  • Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, which is why inventory alone is not governance.
  • That same lifecycle gap is explored further in NHI Lifecycle Management Guide, where provisioning, rotation, and offboarding are treated as separate control problems.

What this signals

Lifecycle maturity and runtime maturity are diverging faster than most programmes report. A team can improve discovery tooling and still fail to prove ownership, revocation, or containment when identities change hands or act on behalf of other principals. The useful next step is to map where the programme can only observe activity versus where it can actually stop it, then align that with the NIST Cybersecurity Framework 2.0 and the control expectations in NIST SP 800-53 Rev 5 Security and Privacy Controls.

Delegation is becoming the clearest indicator of maturity debt. If a programme cannot separate delegated authority from ordinary account ownership, it will keep reporting control where only visibility exists. The operational signal to watch is whether sponsor, scope, and stop authority are tested together, not assumed separately.

With 79% of organisations having experienced secrets leaks according to our Ultimate Guide to NHIs, the broader lesson is that governance fails when control boundaries are defined by documentation instead of enforceable state. Teams should expect more pressure to prove runtime containment, not just access inventory, as NHI estates continue to expand.


For practitioners

  • Score each NHI dimension separately Use evidence-based levels for discovery, lifecycle, authentication, authorization, runtime, and delegation. Avoid averaging scores across rows, because a strong result in one area can mask ad hoc controls in another.
  • Track the discovery-to-governance gap Measure discovered non-human identities against identities with named owners, revocation paths, and approved business purpose. If discovery rises faster than governance, the programme is expanding without accountability.
  • Test runtime containment, not just monitoring Define which critical actions can be blocked or contained in real time, then validate that the control works under load. Logs and alerts are not enough if the organisation cannot interrupt misuse.
  • Separate delegated principals from ordinary service accounts Create an explicit inventory for identities that act on behalf of another principal, including sponsor, scope, and kill-switch ownership. Delegation requires a different control path than static account governance.

Key takeaways

  • NHI maturity is not a single score because discovery, lifecycle, runtime, and delegation fail in different ways.
  • Visibility is not the same as accountability, and inventory without revocation paths creates a false sense of control.
  • Programmes that can prove containment and stop authority will have more credible NHI governance than those that only measure coverage.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-01The article centers on discovery, lifecycle, and governance of non-human identities.
NIST CSF 2.0ID.AM-1Asset and identity inventory align with the matrix's discovery dimension.
NIST Zero Trust (SP 800-207)The matrix depends on continuous verification and enforceable containment.
NIST SP 800-53 Rev 5AC-2Accountability and lifecycle ownership depend on account management discipline.

Use NHI control mapping to assess discovery, ownership, rotation, and revocation separately.


Key terms

  • NHI Maturity Model: A framework for assessing an organisation's capability to discover, govern, and secure non-human identities — typically measured across dimensions such as visibility, lifecycle management, least privilege, and monitoring coverage.
  • Effective reach: The real set of systems, resources, and environments an identity can actually influence, not just the permissions listed on paper. For non-human identities, effective reach often matters more than granted access because unused or cross-environment privilege still expands attack surface and operational risk.
  • Delegated Governance: A model in which access decision-making is moved closer to the business users who understand the data best, while security and identity teams retain oversight. It reduces central bottlenecks, but only works when assignment rules, evidence, and escalation paths are explicit and auditable.
  • Session Containment: A control pattern that limits what a single AI agent session can access, retain, or carry forward. It reduces persistence, shared state, and cross-session leakage so that one manipulated interaction does not become an environment-wide security incident.

What's in the full article

Identra.ai's full assessment covers the operational detail this post intentionally leaves for the source:

  • The complete six-dimension maturity matrix with the five-level scoring guidance for each row
  • The scorecard metrics mapped to coverage, privilege, runtime containment, accountability, and delegation
  • The sample organization profile that shows how a real enterprise can be advanced in one dimension and weak in another
  • The article's own framing for how to rate progress without relying on a single headline maturity label

👉 Identra.ai's full assessment shows the matrix, scoring logic, and sample profile in detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org