Non-human identity attestation closes the ownership gap in IAM

At a glance

What this is: This is an analysis of NHI ownership attestation and how it is used to keep service accounts, tokens, and other non-human identities accountable throughout their lifecycle.

Why it matters: It matters because IAM teams cannot govern NHI access cleanly without an owner, and the same ownership model also shapes recertification, offboarding, and privileged access decisions across human and machine identities.

By the numbers:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging (37%) and over-privileged accounts (37%).
• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps - 38% have no or low visibility, and a further 47% have only partial visibility.

👉 Read Oasis Security's post on NHI ownership discovery and attestation

Context

Non-human identity attestation is the review process used to confirm whether an NHI still has a valid owner and whether its access is still justified. In practice, the governance gap is not just access sprawl. It is the inability to keep ownership data accurate enough for certification, remediation, and audit.

Oasis Security frames ownership discovery as the prerequisite for attestation, which is directionally correct for NHI governance. Without an accountable owner, recertification becomes a queue of unresolved exceptions rather than a control that closes risk. That is why NHI lifecycle governance matters as much as discovery.

Key questions

Q: How should security teams handle NHI ownership when no clear owner exists?

A: Treat the identity as an exception, not as an acceptable default. Freeze non-essential privilege changes, assign a temporary accountable owner, and require a documented reassignment path before the identity remains in production. If ownership cannot be proven, the control should fail closed rather than continue certifying an unmanaged account.

Q: Why do campaign-based reviews often miss NHI risk?

A: Because they measure a point in time, while NHI risk changes across the lifecycle. Service accounts can be repurposed, abandoned, or over-privileged between campaigns, so the review may be accurate when performed but obsolete soon after. Event-driven governance is more effective than calendar-only certification.

Q: What breaks when NHI attestation is not tied to deprovisioning?

A: The process becomes a reporting exercise instead of a control. Reviewers may identify unnecessary identities, but if those responses do not trigger revocation or reassignment, stale access stays live. That leaves audit evidence intact while the exposure window remains unchanged.

Q: How do organisations know whether NHI attestation is actually working?

A: Look for reduction in orphaned identities, faster closure of review exceptions, and fewer identities left in unresolved owner reassignment status after each campaign. If the programme produces reports but does not change the number of live stale accounts, it is not controlling risk.

Technical breakdown

Why ownership discovery is the control foundation for NHI attestation

Ownership attestation depends on a trustworthy mapping between identity and accountable human reviewer. In NHI environments, that mapping is often missing because identities are created by apps, pipelines, or administrators without a durable business owner. When the owner field is absent or stale, the attestation control cannot determine who should approve, reject, or reassign the identity. The result is governance drift: access exists, but accountability does not. This is why discovery and attestation are coupled controls rather than separate tasks. Discovery finds the identity and candidate owner. Attestation confirms whether that ownership is still valid and whether the access remains necessary.

Practical implication: build ownership assignment rules before campaign design, or attestation will simply expose the same unresolved ownership gaps in a new workflow.

Why campaign-based attestation struggles with NHI lifecycle pressure

Campaign attestation is usually periodic, which means it works on a human governance cadence rather than an identity-change cadence. That creates a mismatch for NHIs, which can be created, delegated, repurposed, or abandoned long before the next review cycle. If review windows are too wide, stale access persists between campaigns. If they are too frequent, reviewers burn time on repeated confirmations that do not change the underlying entitlement model. The technical problem is not review effort alone. It is the mismatch between static campaign timing and dynamic NHI lifecycle events such as provisioning, reuse, and deactivation.

Practical implication: tie attestation to lifecycle events and risk tiers, not just calendar cycles, so reviews happen when ownership or usage actually changes.

How attestation workflows turn review into a governance signal

A useful attestation workflow does more than ask for approval. It creates structured outcomes such as approved, not needed, and not the owner, which convert review into governance data. Those outcomes can trigger deactivation, reassignment, or exception handling, provided they are integrated with downstream identity systems. Without that linkage, attestation becomes a reporting exercise with no enforcement value. For NHI governance, the key architectural issue is whether review results are actionable within the same control plane that issued the access. If not, the programme records intent but does not change state.

Practical implication: connect attestation outcomes directly to deprovisioning and reassignment workflows so review decisions change access state, not just audit records.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Ownership attestation is really an accountability control, not a review ritual. The central problem is that NHI governance breaks down when no human is clearly responsible for a service account, token, or certificate. Once ownership is ambiguous, every downstream control becomes slower and less reliable. The implication is that NHI programmes should treat ownership as a first-class governance attribute, not an administrative note.

Campaign-based attestation reveals where lifecycle governance is still calendar-driven instead of event-driven. A twice-yearly review can confirm that an identity had an owner at the moment of certification, but it cannot guarantee that the owner remained valid after business change, team turnover, or application refactoring. That is why periodic review alone does not prove control maturity. Practitioners should read campaign outcomes as a lagging indicator of lifecycle discipline, not a complete control.

Unchecked NHI ownership creates an identity blast radius that is bigger than most IAM teams model. When a service account outlives the person or team that originally owned it, permissions can persist with no operational sponsor to question them. That is not just an access issue, it is an accountability failure that can slow remediation and extend exposure windows. The practical conclusion is that ownership state must be governable across creation, reuse, review, and offboarding.

NHI Lifecycle Management Guide discipline matters more than review volume. The article reinforces a familiar governance truth: attestation is only effective when it sits inside a lifecycle model that can provision, reassign, revoke, and audit identities consistently. Without that, attestation becomes a paper trail for unmanaged privilege. The implication for practitioners is to align attestation with lifecycle controls rather than treating it as a standalone compliance task.

From our research:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
• For a wider governance view, read NHI Lifecycle Management Guide for how provisioning, rotation, and offboarding should connect.

What this signals

NHI ownership is becoming a lifecycle control, not just a directory field. Teams that treat owner data as metadata usually discover that recertification fails the moment teams reorganise or applications are refactored. The programme signal is clear: ownership quality now determines whether attestation can close risk or only document it, especially when you map outcomes against the NHI Lifecycle Management Guide.

With 97% of NHIs carrying excessive privileges, the practical issue is not whether attestation should exist, but whether it can meaningfully shrink standing exposure before the next review cycle. That is why attestation should be paired with privilege reduction and deprovisioning paths, not used as a standalone compliance ritual.

Ownership attestation debt: the gap between who is supposed to review an NHI and who can actually do so. As that gap widens, audit readiness looks better than operational control, which is exactly where programme reporting can become misleading.

For practitioners

• Map every NHI to a named accountable owner Require a business or technical owner before an identity is allowed to enter production, and flag any orphaned NHI as an exception that must be resolved before the next certification cycle.
• Tie attestation to lifecycle change events Trigger reviews when applications change teams, when service accounts are repurposed, or when integration ownership shifts, instead of waiting only for quarterly or annual campaign windows.
• Make attestation outcomes enforceable Connect approved, not needed, and not the owner responses to deprovisioning, reassignment, or escalation workflows so the review produces a state change.
• Separate stale ownership from valid access Track whether an identity is still technically required even when the named owner has changed, then require explicit re-approval before preserving access.

Key takeaways

• Non-human identity attestation is only effective when every identity has a provable owner and a downstream enforcement path.
• Periodic review alone does not solve NHI governance because ownership and usage change faster than calendar-based campaigns.
• Practitioners should connect attestation outcomes to deprovisioning, reassignment, and lifecycle controls so review actually reduces exposure.

Key terms

• Ownership Attestation: Ownership attestation is the process of confirming that a named human owner is still responsible for a non-human identity and that its access remains justified. In practice, it turns review into a governance decision that should drive reassignment, revocation, or explicit renewal of access.
• Non-Human Identity Lifecycle: The non-human identity lifecycle covers creation, assignment, review, rotation, reassignment, and offboarding of machine identities such as service accounts, tokens, and certificates. For governance teams, lifecycle control is what makes ownership attestation enforceable rather than merely informational.
• Orphaned Identity: An orphaned identity is a non-human identity that continues to exist without a clear accountable owner. These identities are especially risky because they can retain privilege, evade routine review, and persist through team changes unless governance processes detect and remove them.
• Attestation Campaign: An attestation campaign is a structured review cycle that asks owners to confirm, reject, or reassign identities or permissions in scope. For NHI governance, the campaign is only useful when it is linked to lifecycle events and downstream enforcement, otherwise it becomes a reporting task.

Deepen your knowledge

NHI ownership discovery and attestation are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a lifecycle governance model for service accounts and tokens, it is worth exploring.

This post draws on content published by Oasis Security: Solving Non Human Identity Ownership with Oasis, Part 2: Ownership attestation. Read the original.