NHI ownership discovery exposes the governance gap in identity

At a glance

What this is: This is an analysis of NHI ownership discovery and why fragmented identity data makes accountability, remediation, and attestation harder to sustain.

Why it matters: It matters because IAM, IGA, and security teams cannot govern service accounts, API keys, and other NHIs consistently if ownership is incomplete or stale.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps - 38% have no or low visibility, and a further 47% have only partial visibility.

👉 Read Oasis Security's blog on solving NHI ownership assignment and attestation

Context

NHI ownership is the accountability layer that tells an organisation who is responsible for a service account, API key, token, or certificate. When that ownership lives across CMDBs, identity providers, logs, and manual tags, the programme loses the ability to answer a basic governance question: who can approve rotation, attestation, or revocation right now?

The article centres on that fragmentation and on the gap between discovery and governance. For IAM and IGA teams, the issue is not just visibility, but whether ownership data is current enough to support joiner-mover-leaver workflows, remediation, and recertification. That is a familiar failure mode in NHI programmes, and it usually shows up first as stale accountability rather than technical compromise.

Key questions

Q: How should security teams assign ownership to non-human identities?

A: Start with a governed ownership record for every non-human identity, then validate it against CMDB, identity provider, log, and application evidence. If the record is inferred, require human attestation before it becomes authoritative. Ownership only works when it is accurate enough to support rotation, review, and revocation decisions.

Q: Why does fragmented NHI ownership create security risk?

A: Because fragmented ownership breaks accountability. When no single team can prove responsibility for a service account or API key, remediation slows down, recertification becomes unreliable, and stale access persists longer than it should. The risk is not just administrative confusion, but delayed control action on identities that may already be overexposed.

Q: What do teams get wrong about AI-assisted NHI ownership discovery?

A: They sometimes treat recommendations as final answers. Discovery tools can narrow the search by correlating logs, metadata, and application relationships, but they do not create accountable ownership on their own. The correct model is recommendation first, attestation second, and governance update only after validation.

Q: How do ownership reviews fit into NHI lifecycle governance?

A: Ownership reviews should be part of the same lifecycle discipline used for joiner-mover-leaver processes, recertification, and offboarding. The owner of the NHI can change as the accountable human or team changes, so the governance record must be reviewed whenever organisational responsibility shifts, not only when the credential changes.

Technical breakdown

Why NHI ownership becomes fragmented across systems

NHI ownership data often sits in separate administrative planes. A CMDB may record a business owner, the identity provider may know which application uses the credential, and logs may show who touched it last, but none of those sources guarantees an authoritative owner. In practice, identity governance fails when no single system preserves the relationship between the credential, the workload, and the accountable human or team. That gap is especially common for service accounts and API keys because they are provisioned for machines, not people.

Practical implication: map ownership into one governed record before rotation, recertification, or offboarding depends on it.

How AI-assisted ownership discovery works in NHI governance

AI and machine learning can infer likely owners by correlating application inventories, logs, free-text metadata, similarity signals, and third-party application relationships. That does not create ownership automatically. It produces a recommendation layer that still needs human validation because inferred responsibility can diverge from operational reality, especially where teams reuse credentials, clone workloads, or inherit legacy accounts. The value is in reducing manual search time while surfacing candidate owners that would otherwise stay hidden.

Practical implication: treat discovery outputs as governed recommendations and require attestation before changing ownership records.

Why attestation matters after discovery

Ownership discovery is only the first half of the control. Attestation turns a probable match into an accountable record by forcing review, correction, and sign-off over time. Without that step, the programme accumulates stale assignments as teams change, services move, and responsibilities shift. This is where lifecycle governance becomes central: ownership has to track joiner-mover-leaver events for the people responsible for the NHI, not just for the NHI itself.

Practical implication: couple ownership discovery with recurring attestation so the record stays valid after organisational changes.

Breaches seen in the wild

• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Ownership discovery is an accountability control, not a discovery feature. The article is really about whether an organisation can sustain a trusted owner for each non-human identity when data is scattered across operational systems. Without that accountable anchor, rotation, attestation, and revocation become coordination problems instead of governance actions. The practitioner takeaway is that ownership must be treated as a control object, not a label.

Ownership drift: the control gap this post exposes is the gap between where NHIs are used and where accountability is recorded. CMDB entries, identity provider records, and manual tags can each be partly correct while still producing no authoritative answer. That is a classic NHI governance failure mode because the lifecycle of the credential moves faster than the administrative record. Practitioners should see this as a record-integrity problem before it becomes a security event.

Joiner-mover-leaver workflows remain the right governance lens for NHI owners. The article correctly shows that ownership data becomes stale when it is disconnected from organisational movement. That means lifecycle governance has to cover the human owner of the NHI, not only the machine credential itself. The implication is that recertification and offboarding processes are only as good as the ownership source they depend on.

AI can narrow the search, but it does not replace authoritative governance. Recommendation engines can correlate logs, free-text fields, and application relationships, yet the resulting ownership claim still needs attestation. That distinction matters because governance fails when inferred responsibility is mistaken for approved responsibility. The practitioner conclusion is to use automation to accelerate review, not to redefine accountability.

NHI ownership becomes a security boundary when business continuity depends on it. If the wrong owner is assigned, rotations are delayed, response is slowed, and business-impacting changes are approved by the wrong party. That makes ownership accuracy a prerequisite for both security and operational resilience. Teams should therefore measure ownership quality with the same seriousness they apply to credential hygiene.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• For the broader identity control model, read Ultimate Guide to NHIs.

What this signals

Ownership drift is becoming a measurable governance problem, not a housekeeping issue. When organisations cannot keep an authoritative owner attached to an NHI, lifecycle controls lose their trigger condition. That is why ownership quality should be tracked alongside rotation, recertification, and offboarding in identity operations dashboards.

The strongest programmes will treat AI-assisted discovery as an input to attestation rather than as a replacement for governance. Ultimate Guide to NHIs remains the baseline reference for how ownership, rotation, and visibility fit together in mature NHI programmes.

With 92% of organisations exposing NHIs to third parties, according to The State of Non-Human Identity Security, ownership accuracy increasingly determines whether external access can be governed at all. That shifts the question from discovery to accountability, especially where vendors, integrators, and platform teams share responsibility.

For practitioners

• Create one authoritative ownership record for each NHI Tie every service account, API key, token, and certificate to a governed owner field that is sourced from one approved system of record and reconciled against CMDB, identity provider, and log evidence.
• Require attestation before ownership changes are accepted Use a review workflow that forces business validation of AI-generated ownership recommendations before they update the authoritative record, especially for inherited or legacy identities.
• Link NHI ownership to joiner-mover-leaver events Update owner assignments whenever the accountable human changes role, leaves a team, or transfers service responsibility, so the governance record does not outlive the operating model.
• Prioritise stale or unowned credentials for remediation Flag identities with missing owners, conflicting owners, or no recent attestation as high-risk remediation candidates before rotation or recertification cycles begin.

Key takeaways

• NHI ownership fails when accountability is split across CMDBs, identity platforms, logs, and manual tags.
• AI-assisted discovery can narrow the search for owners, but attestation is what turns inference into governed responsibility.
• Lifecycle processes such as recertification and offboarding only work when ownership stays current as teams and responsibilities change.

Key terms

• Nhi Ownership: NHI ownership is the assignment of accountability for a non-human identity to a person or team that can approve changes, reviews, and remediation. It is a governance control, not a technical property. Good ownership records make rotation, attestation, and offboarding actionable instead of ambiguous.
• Ownership Attestation: Ownership attestation is the periodic confirmation that the recorded owner of an NHI is still correct. It turns discovery into a governed control by forcing validation, correction, and sign-off. Without attestation, ownership records drift as teams change and service responsibility moves.
• Joiner-Mover-Leaver Workflow: A joiner-mover-leaver workflow is the lifecycle process used to update access and accountability when people enter, change roles, or leave an organisation. For NHI governance, it matters because the human responsible for an identity can change even when the credential itself does not.
• Ownership Drift: Ownership drift occurs when the person or team recorded as responsible for an NHI no longer matches operational reality. It often appears after reorganisations, platform migrations, or inherited service accounts. Drift weakens response, rotation, and certification because the governance record no longer points to the right decision-maker.

Deepen your knowledge

NHI ownership discovery and attestation are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building accountability controls for service accounts and API keys, it is worth exploring.

This post draws on content published by Oasis Security: Solving Non Human Identity Ownership with Oasis Part 1. Read the original.