NIST CSF 2.0 for identity governance: what changed and why it matters

At a glance

What this is: This is an overview of NIST CSF 2.0, with a focus on the new Govern function and what it changes for security programmes.

Why it matters: It matters to IAM practitioners because identity governance now has to align across human, NHI, and autonomous identities, not only within access control tooling.

👉 Read Netwrix's overview of what's new in NIST CSF 2.0

Context

NIST Cybersecurity Framework 2.0 expands the framework beyond the traditional protect-detect-respond posture by making governance a first-class concern. For identity teams, that matters because access decisions, ownership, and lifecycle controls are no longer background tasks. They are part of the operating model that determines whether human, non-human, and autonomous access can be trusted.

The practical problem is not that organisations lack controls. It is that many programmes still treat identity governance as a set of disconnected activities, while CSF 2.0 pushes for an integrated view of risk, policy, and accountability. That is especially relevant where NHIs and AI-driven systems create access patterns that move faster than periodic review cycles.

Key questions

Q: How should security teams apply NIST CSF 2.0 to identity governance?

A: Security teams should use NIST CSF 2.0 to make identity ownership, policy enforcement, and lifecycle accountability measurable. That means mapping human, NHI, and autonomous access into the Govern function, then checking whether provisioning, review, and revocation are actually operating as intended across each identity class.

Q: Why does NIST CSF 2.0 matter for non-human identities?

A: NIST CSF 2.0 matters for non-human identities because it shifts the focus from isolated technical controls to accountable governance. Service accounts, API keys, and workload identities often fail when nobody owns their lifecycle, and the framework helps teams identify that governance gap before it becomes an audit or breach issue.

Q: How do Profiles and Tiers help IAM programmes mature?

A: Profiles and Tiers help IAM programmes compare current practice with target outcomes and maturity expectations. For identity teams, that makes it easier to see whether governance is actually reducing access sprawl, improving offboarding, and closing review gaps across human and non-human identities.

Q: What is the difference between control implementation and governance under CSF 2.0?

A: Control implementation is the technical act of enforcing access rules. Governance under CSF 2.0 is the broader discipline of deciding who owns those rules, how exceptions are approved, and how the organisation proves they still work across changing identity types and access patterns.

Technical breakdown

What the Govern function changes in identity governance

NIST CSF 2.0 makes governance explicit by requiring organisations to define, direct, and monitor cybersecurity policy at the programme level. In identity terms, that shifts the conversation from isolated access controls to ownership, decision rights, and oversight of who or what can act inside the environment. This matters for NHIs because service accounts, tokens, and workload identities often exist outside the same governance structure used for human users. The framework does not replace identity controls, but it does force them into a clearer accountability model.

Practical implication: map identity ownership, review cadence, and lifecycle responsibility into the Govern function rather than treating them as separate IAM tasks.

Profiles and Tiers as identity governance planning tools

Profiles describe where a programme is now and where it needs to be, while Tiers indicate the maturity of governance and risk management practices. For identity security, that means organisations can use CSF 2.0 to compare how well human IAM, NHI governance, and emerging autonomous access models are actually controlled. The value is not in the labels themselves. It is in using them to expose where policy exists but enforcement is weak, or where access exists without a defined lifecycle owner.

Practical implication: use Profiles and Tiers to identify which identity populations have policy, ownership, and enforcement gaps.

Why CSF 2.0 matters for non-human and autonomous identities

CSF 2.0 is especially useful where identity behaviour is machine-driven, because those identities can scale faster than manual governance processes. Service accounts, API keys, and AI agents create control pressure around provisioning, review, and offboarding. The framework helps teams frame those problems as governance failures, not just technical hygiene issues. That is important because the same entitlement can be low risk for one actor and dangerous for another, depending on how access is created, monitored, and retired.

Practical implication: align NHI and autonomous identity controls to CSF 2.0 governance outcomes, then test whether lifecycle controls actually match runtime behaviour.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Governance is the missing control plane for identity security. NIST CSF 2.0 validates what identity teams have already learned in practice: access control without governance produces fragmented ownership, weak review discipline, and inconsistent remediation. That is true for human identity, but it becomes more visible in NHI programmes where entitlement sprawl and lifecycle drift accumulate quickly. Practitioners should treat governance as the layer that makes every other identity control measurable and enforceable.

CSF 2.0 gives NHI programmes a language for accountability, not just configuration. The framework is useful because it forces teams to ask who owns a service account, who approves its lifecycle, and who is accountable when access outlives the business need. That is a better question than whether a tool can discover the account. Identity governance programmes should use CSF 2.0 to make ownership and review responsibilities auditable.

Named concept: identity governance drift. CSF 2.0 surfaces the gap between written policy and operational reality, which is where identity programmes most often fail. The policy says access is reviewed, the environment says access persists, and the organisation only notices when an incident or audit exposes the mismatch. Practitioners should measure whether governance changes are actually reducing that drift across humans, NHIs, and autonomous systems.

For autonomous identity, the framework pressure shifts from entitlement management to decision accountability. If an AI system can select tools and act at runtime, then the governance question is no longer only what access exists. It becomes who is accountable for the decisions that led to the access pattern in the first place. Teams should use CSF 2.0 to separate static permissions from runtime decision authority, then govern both as distinct risks.

From our research:

• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to the Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which helps explain why governance failures persist even when teams believe controls are in place.
• NIST CSF 2.0 becomes more useful when paired with Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for lifecycle governance and ownership mapping.

What this signals

Identity governance drift: the most common CSF 2.0 failure mode is not missing policy, but policy that never reaches operational identity behaviour. That means IAM teams should test whether ownership, review, and revocation are visible in practice, not just documented in standards.

With 97% of NHIs carrying excessive privileges, per Ultimate Guide to NHIs , Key Challenges and Risks, governance programmes need to track whether access decisions are being made at the right level and whether exceptions are accumulating faster than they can be removed.

CSF 2.0 should push practitioners toward tighter identity lifecycle controls, clearer decision rights, and better evidence collection. For teams managing mixed human, NHI, and autonomous estates, that means the framework is most valuable when it is translated into ownership models and review triggers that match runtime reality.

For practitioners

• Map identity ownership into the govern function Assign named owners for every major identity population, including service accounts, tokens, certificates, and AI agents. Make ownership visible in risk registers, policy exceptions, and access review workflows so governance is not informal knowledge held by platform teams.
• Separate lifecycle responsibility from technical administration Document who provisions, who reviews, and who revokes access for each identity class. The same engineer should not be the only person able to create, approve, and retire privileged non-human identities.
• Use CSF 2.0 Profiles to expose entitlement drift Build current and target profiles for human IAM, NHI, and autonomous access paths. Compare them to identify where policy exists but enforcement, logging, or offboarding is incomplete.
• Tie review cadence to actual identity behaviour If access is ephemeral or machine-driven, quarterly reviews are often too slow to matter. Set review and monitoring cycles based on how quickly the identity can gain, use, and abandon privilege.

Key takeaways

• NIST CSF 2.0 matters for identity teams because it turns governance into a first-class security requirement rather than an administrative afterthought.
• The framework is most useful when applied to ownership, review cadence, and lifecycle accountability across human, NHI, and autonomous identities.
• Practitioners should use CSF 2.0 to expose where policy exists but operational identity behaviour still drifts outside control.

Key terms

• Govern Function: The Govern function is the part of NIST CSF 2.0 that makes cybersecurity accountability explicit at the programme level. It covers policy, oversight, and risk direction, which means identity teams must show who owns access decisions, who reviews them, and how exceptions are tracked across all identity types.
• Profiles: Profiles describe an organisation's current cybersecurity posture and its target state under NIST CSF 2.0. In identity programmes, they are useful for showing where access governance exists on paper but breaks down in practice, especially across service accounts, secrets, and other non-human identities.
• Tiers: Tiers indicate how mature and repeatable an organisation's cybersecurity risk management practices are. For identity governance, they help teams judge whether access controls, lifecycle ownership, and remediation processes are ad hoc, repeatable, or embedded in the operating model.
• Identity Governance Drift: Identity governance drift is the gap between documented access policy and the way identity behaviour actually unfolds in the environment. It appears when access reviews, ownership, and revocation exist as process claims but fail to keep pace with real provisioning and usage patterns.

Deepen your knowledge

NIST CSF 2.0 and identity governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are aligning identity controls to a governance framework like this, it is worth exploring.

This post draws on content published by Netwrix: NIST CSF 2.0, what's new in the Cybersecurity Framework. Read the original.