NHI provisioning is broken because governance starts too late

At a glance

What this is: This analysis says NHI provisioning is failing because organisations treat it as a ticketing step instead of a governance control, leading to orphaned accounts, standing privileges, and unrotated secrets.

Why it matters: That matters because IAM, PAM, and lifecycle teams need provisioning to establish ownership and policy early, or NHI sprawl will outpace review, rotation, and offboarding across human and autonomous programmes.

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.

👉 Read Oasis Security's analysis of why NHI provisioning is broken

Context

Non-human identity provisioning is the process of creating system and application accounts, assigning access, and generating credentials where needed. The article argues that this step is usually handled as a one-off request rather than a governed lifecycle event, which is why ownership, least privilege, and rotation often fail before the identity is even used.

For IAM and PAM teams, that framing matters because provisioning is where policy should be embedded, not where exceptions begin. The same logic now extends into AI workloads and agentic architectures, where identities are created faster than teams can classify, review, or offboard them.

When provisioning is improvised through tickets, scripts, or copy-paste patterns, the result is predictable: undocumented identities, static secrets, and weak accountability. That is not a tooling issue alone; it is a lifecycle design flaw that scales across cloud, automation, and autonomous systems.

Key questions

Q: What breaks when NHI provisioning is treated as a one-time task?

A: When provisioning is treated as a one-time task, organisations lose the metadata needed to govern the identity after creation. Ownership, purpose, access scope, rotation, and retirement never become part of the lifecycle, so orphaned accounts and persistent secrets accumulate. That creates lasting exposure because the account can still authenticate even when no one can justify why it exists.

Q: Why do poorly governed NHIs increase lateral movement risk?

A: Poorly governed NHIs often retain more access than they need and keep credentials active long after the original task changes. That combination gives attackers a durable foothold for moving between systems, especially when the identity is undocumented or shared across workflows. The risk rises when no one can quickly prove whether the access is still legitimate.

Q: How do security teams know if NHI provisioning is actually working?

A: Provisioning is working when every identity is traceable from creation through retirement, with clear ownership, documented purpose, and enforced rotation. A useful signal is whether the team can answer who owns the account, why it exists, what it can access, and when it will be removed without chasing Slack messages or tribal knowledge.

Q: Who is accountable when an unowned NHI is left active?

A: Accountability should sit with the business service owner and the identity governance process that approved creation. If no owner can be identified, the organisation has a governance failure, not just a technical one. Frameworks such as the NHI lifecycle approach and zero trust both depend on proving who is responsible for an identity throughout its life.

Technical breakdown

Why one-time NHI provisioning creates governance debt

Provisioning should establish the identity's purpose, owner, access boundary, and credential model from the start. When teams treat it as a one-time setup task, they create governance debt: the account exists, but the conditions for reviewing, rotating, and retiring it are never formalised. That is why orphaned accounts and persistent secrets appear later as symptoms of an earlier design choice. In practice, the failure is not just speed. It is the absence of lifecycle metadata that would let IAM, security, and application owners govern the identity after creation.

Practical implication: require ownership, purpose, and expiry metadata at provisioning time before any credential is issued.

How ungoverned automation sprawl turns into NHI exposure

Automation can create identities at scale, but scale without central policy creates shadow NHI sprawl. Developer scripts, Terraform modules, and ad hoc integrations can all mint credentials faster than review processes can track them. The technical problem is that creation and governance become detached, so access persists after the original use case changes. That is why untracked identities, over-privileged defaults, and abandoned accounts cluster together. The article's examples show a common pattern: access is granted for convenience, then never revisited because no control point was designed into the workflow.

Practical implication: tie automated identity creation to policy enforcement, inventory registration, and explicit retirement rules.

Why AI workloads make provisioning failures harder to contain

AI workloads and agentic architectures increase the rate at which non-human identities appear, disappear, and interconnect. Each service, orchestration layer, or agent interaction can require separate credentials or federated identities, which means provisioning errors multiply across the chain. The control problem is not only volume. It is that identity creation now happens in dynamic runtime environments where manual handoffs cannot keep pace. In that setting, unmanaged provisioning becomes a multiplier for secrets exposure, excessive permissions, and unknown access paths across cloud and hybrid estates.

Practical implication: design provisioning for dynamic workloads with short-lived credentials, central visibility, and automated lifecycle triggers.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Provisioning is the first governance decision, not an administrative step. The article is right to frame NHI provisioning as a foundational control point because the access model is effectively set before the identity ever enters production. If ownership, scope, and retirement conditions are absent at creation, every later control becomes compensating rather than preventive. For practitioners, the implication is that provisioning design determines downstream governance quality across IAM, PAM, and lifecycle.

Shortcuts at creation become permanent attack surface. Copy-pasted access patterns, Slack-shared keys, and temporary secrets that survive into production are not isolated mistakes. They are the visible output of a provisioning process that allows convenience to outrank policy. That pattern aligns with OWASP-NHI concerns around excessive privileges and poor secret handling, and it is why abandoned identities become durable exposure points for attackers.

Untracked automation is a governance failure, not just an operational one. Once developers or scripts can create NHIs outside the formal process, inventory, accountability, and review all degrade together. The problem is broader than missed documentation. It means the organisation can no longer prove what exists, who owns it, or whether it still needs access. Practitioners should treat this as a control-plane gap in NHI governance, not a cleanup exercise.

AI workloads expose a provisioning model that was designed for stable systems. Provisioning workflows built for slow-moving application estates assume identities are created, reviewed, and retired in human-paced cycles. That assumption fails when orchestration frameworks and autonomous services spin up NHIs dynamically and at scale. The implication is that identity lifecycle governance must be rethought for runtime creation patterns, because the old ticket-and-approval model cannot see fast-moving access.

Ephemeral credential trust debt: The article points to a structural problem where organisations issue credentials faster than they can prove ownership, rotation, or retirement. That debt accumulates silently until the environment is full of identities that still authenticate but no longer have a justified business purpose. For practitioners, the lesson is that provisioning debt is itself a security metric.

From our research:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• The rotation gap is visible in 71% of NHIs not being rotated within recommended time frames, a pattern that keeps stale access alive longer than most risk teams expect.

What this signals

NHI provisioning is becoming a control-plane problem. As AI workloads and agentic architectures create identities faster than review cycles can absorb, the old assumption that provisioning is a bounded request no longer holds. Teams should expect lifecycle governance to move upstream into creation workflows, inventory controls, and automated retirement triggers, with the NHI Lifecycle Management Guide becoming more relevant to operational design.

The programme signal is clear: if identity creation is still detached from ownership, policy, and rotation, the organisation is already paying provisioning debt. A practical measure of maturity is whether the team can explain every active NHI without relying on tribal knowledge, spreadsheets, or manual search across ticketing and chat tools.

In hybrid estates, provisioning gaps tend to show up first as secret sprawl and then as offboarding failures. The 52 NHI Breaches Analysis is useful here because it shows how small lifecycle lapses become durable exposure, which is why teams need to treat creation controls as part of breach prevention rather than admin hygiene.

For practitioners

• Require lifecycle metadata at creation Make owner, purpose, system of record, and retirement condition mandatory before an NHI can receive credentials. Reject requests that cannot name the business service and the person accountable for decommissioning.
• Block credential issuance outside governed workflows Prevent developers and automation from minting production identities through ad hoc scripts, chat requests, or manual handoffs. Route all creation through a controlled workflow that records the identity in inventory at the moment it is born.
• Bind automation to policy, not tribal knowledge Translate common provisioning patterns into enforceable policy so least privilege, vaulting, and rotation are applied consistently across teams and environments. Do not rely on copy-pasted templates that drift from the approved baseline.
• Create retirement triggers for abandoned identities Tie offboarding to pipeline ownership changes, service decommissioning, and unused credential detection so identities are removed when their use case disappears. Review dormant accounts before they become persistence points.
• Separate fast creation from slow trust expansion Allow rapid identity creation only when the initial access boundary is narrow and time bound. Expand privileges later only after the identity has an owner, telemetry, and a verified need.

Key takeaways

• NHI provisioning fails when organisations treat creation as a setup task instead of the first lifecycle control point.
• The scale of the problem is visible in orphaned accounts, persistent secrets, and access that outlives its business purpose.
• The control that changes the outcome is not faster ticketing, but governed creation with ownership, policy, and retirement built in.

Key terms

• Non-Human Identity Provisioning: The process of creating, assigning, and preparing machine identities for use in systems and applications. In practice, it should establish ownership, purpose, access scope, and retirement conditions at the moment the identity is created, not after the account is already active.
• Governance Debt: The accumulation of unresolved identity control weaknesses created when teams prioritise speed over lifecycle design. In NHI environments, it shows up as accounts with unclear ownership, undocumented purpose, stale credentials, and no reliable retirement path, all of which make later security work harder.
• Ungoverned Automation Sprawl: The growth of identities created by scripts, pipelines, or developers outside approved provisioning workflows. It is a governance issue because those identities often lack inventory records, ownership, rotation rules, and decommissioning triggers, leaving the organisation unable to account for them cleanly.

Deepen your knowledge

NHI provisioning, ownership, and lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are trying to turn ad hoc account creation into a governed process, it is worth exploring.

This post draws on content published by Oasis Security: What is Non Human Identity provisioning and why is it broken? Read the original.