NYDFS Part 500 in 2025 raises the bar for IAM and NHI control

At a glance

What this is: This is an analysis of NYDFS Part 500 in 2025, with the central finding that universal MFA and complete asset management have become hard compliance deadlines, not advisory goals.

Why it matters: It matters to IAM and NHI practitioners because service accounts, vendor access, and other non-human access paths now sit inside a stricter evidence and governance regime.

By the numbers:

• November 1, 2025 is the final deadline for universal MFA and complete asset management under NYDFS Part 500.
• NYDFS has levied fines up to $30 million for cybersecurity compliance failures.
• The 2023 Second Amendment introduced personal liability for CEOs and CISOs through dual-signature certification requirements.

👉 Read Beyond Identity's analysis of NYDFS Part 500 deadlines and MFA requirements

Context

NYDFS Part 500 is a cybersecurity regulation for covered financial services organisations operating under New York oversight, but its practical impact extends well beyond legal teams. The 2025 deadline matters because universal MFA and complete asset management force organisations to prove who and what can access systems, including non-human identities such as service accounts, API keys, and vendor integrations.

For IAM and NHI governance teams, the gap is not authentication in isolation. It is the combination of access coverage, asset inventory, evidence retention, and executive certification, which means identity controls must now support audit-ready documentation rather than only day-to-day authentication. That starting point is typical for regulated environments, but the enforcement posture makes it materially more demanding.

Key questions

Q: How should organisations prepare for NYDFS Part 500 when non-human identities are in scope?

A: They should inventory every service account, API key, certificate, and automation workflow that can reach regulated systems, then assign ownership and review cadence. NHI controls need the same evidence trail as human identity controls because auditors will care about access coverage, offboarding, and exception handling, not just whether MFA exists somewhere in the stack.

Q: What is the difference between compliance-ready MFA and phishing-resistant MFA?

A: Compliance-ready MFA can mean almost any second factor is present, including methods that are still vulnerable to phishing or interception. Phishing-resistant MFA binds authentication to a trusted device or cryptographic key, making replay and social engineering much harder. For regulated environments, the second model provides materially stronger assurance and better audit defensibility.

Q: Why does complete asset management matter for identity governance?

A: Because identity controls depend on knowing which systems exist, who owns them, and whether they are still active. Without that inventory, service accounts and other non-human identities can remain live after systems change or retire, creating hidden access paths and audit gaps. Asset management is therefore an identity control dependency, not a separate operations task.

Q: Should teams prioritise MFA rollout or lifecycle management first?

A: They should do both, but incomplete lifecycle management can erase the value of MFA over time. If orphaned accounts, stale keys, and undocumented exceptions remain in place, strong authentication only protects a subset of the real risk. The best sequence is to secure the highest-risk access paths first while building the ownership and review process that keeps them governed.

Technical breakdown

Why universal MFA changes the control model

NYDFS Part 500 moves MFA from a targeted control for remote or privileged access to a universal requirement for any individual accessing any information system. That shift matters because the policy target is no longer just interactive users. It covers cloud apps, third-party access, and operational workflows where identities are reused or delegated. In practice, the regulation closes the gap between partial MFA coverage and real-world access paths, where exceptions and compensating controls often hide the largest risk. The technical issue is not whether MFA exists. It is whether every access path can be verified, logged, and defended under audit.

Practical implication: Map every identity path to MFA enforcement and document every exception as a reviewed, time-bound risk decision.

Why complete asset management is now an identity control

Part 500 treats asset management as a security control because you cannot govern access to systems you cannot enumerate. A complete inventory must include owner, location, classification, support dates, and recovery objectives, which turns asset management into the foundation for access governance. For NHI programs, this matters because service accounts and machine credentials often outlive the systems that created them. When assets are missed, orphaned identities and stale credentials persist unnoticed. The regulation therefore links inventory accuracy to access assurance, making visibility a prerequisite for compliant identity control.

Practical implication: Tie each non-human identity to a named asset owner and remove credentials when the underlying system leaves service.

How phishing-resistant MFA reduces audit exposure

NYDFS explicitly warns against push and SMS MFA because both are vulnerable to social engineering and interception. Phishing-resistant MFA uses device-bound cryptography, hardware-backed factors, or other methods that resist replay and token theft. The technical difference is not convenience but trust model. Weak MFA proves only that a second factor was used. Phishing-resistant MFA proves that the factor is bound to a trusted device or cryptographic key, which materially improves assurance for regulated access. That distinction is central when auditors assess whether the control can withstand modern attack paths.

Practical implication: Prefer device-bound, phishing-resistant factors for both human and operational access that touches regulated systems.

Threat narrative

Attacker objective: The attacker aims to use weak identity controls to reach regulated systems without triggering reliable verification or audit detection.

1. Entry occurs through weak or incomplete MFA coverage on remote, SaaS, or third-party access paths.
2. Escalation follows when overbroad access or missing asset inventory leaves privileged or orphaned identities in place.
3. Impact is regulatory and operational, including failed certification, enforcement exposure, and expanded blast radius across regulated systems.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

NYDFS Part 500 has become an identity governance test, not just a compliance checklist. The regulation now forces organisations to prove access coverage across users, systems, and exceptions, which is a much harder standard than simply enabling MFA. For NHI practitioners, the message is that machine access must be managed with the same evidence discipline as human access. The practical conclusion is that identity governance and audit readiness are now the same programme.

Universal MFA is only useful when the underlying trust model is sound. If an organisation relies on push approvals, SMS codes, or loosely managed third-party access, it may satisfy a checkbox while preserving the attack path. NYDFS is pushing teams toward phishing-resistant methods because the control must survive real adversary behaviour, not just policy language. Practitioners should treat authentication strength as a governance decision, not a convenience setting.

Asset inventory is the hidden dependency behind NHI control. Service accounts, API keys, certificates, and vendor integrations become ungovernable when the parent systems are not fully inventoried. That makes complete asset management the control that enables lifecycle management, offboarding, and access review. The field should stop treating inventory as a separate operations task and start treating it as a prerequisite for identity assurance.

Personal accountability changes remediation priority. Dual-signature certification means unresolved gaps now carry executive risk, which pushes organisations to evidence controls continuously rather than at year-end. That pressure will accelerate investment in reporting, exception tracking, and policy enforcement across both IAM and NHI workflows. The practical takeaway is simple: if the control cannot be demonstrated, it does not exist for certification purposes.

Phishing-resistant MFA is becoming the default expectation for regulated access. As attackers exploit push fatigue, SMS interception, and token replay, the tolerance for weak second factors keeps shrinking. That does not eliminate the need for lifecycle governance, but it raises the baseline for what counts as acceptable authentication. Teams should plan for stronger factors to become the norm across both human and non-human access paths.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• Our research also finds that only 20% of organisations have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• Forward look: The NHI Lifecycle Management Guide shows how provisioning, rotation, and offboarding controls close the gap that compliance deadlines expose.

What this signals

Secret hygiene will become the practical weak point in Part 500 programmes. Organisations may be able to prove MFA coverage on paper while still failing to revoke stale credentials quickly enough to matter. With 96% of organisations storing secrets outside secrets managers in vulnerable locations including code, config files, and CI/CD tools, the control problem is already broader than most compliance plans assume.

The programme implication is straightforward: treat lifecycle automation, exception tracking, and asset ownership as one control plane. If your regulated systems include automation, vendor integrations, or agentic workflows, the next audit question will be whether those identities can be discovered, governed, and retired on demand.

For practitioners

• Inventory every access path Document all human and non-human access paths to regulated systems, including SaaS, vendor connections, privileged accounts, and automation workflows. Tie each path to an owner and a control status so exceptions can be reviewed before the deadline.
• Replace weak MFA methods Phase out push, SMS, and other phishable methods for access that reaches NYDFS-scoped systems. Use phishing-resistant authentication for both employees and operational identities wherever the trust model can support it.
• Build certification evidence continuously Retain access reviews, exception approvals, asset inventories, MFA deployment records, and incident reports throughout the year. Organise the evidence so the CEO and CISO can certify with documentation rather than reconstruction.
• Align NHI lifecycle controls to regulated systems Connect provisioning, rotation, offboarding, and review steps for service accounts and API keys to the same governance workflow used for human identities. The goal is to prevent orphaned credentials from surviving system changes.

Key takeaways

• NYDFS Part 500 now makes access coverage, evidence, and accountability inseparable for regulated organisations.
• The main risk is not just weak MFA, but incomplete visibility into every human and non-human identity path.
• Teams that cannot prove ownership, rotation, and offboarding for NHI credentials will struggle to defend certification claims.

Key terms

• Non-Human Identity: A non-human identity is any credentialed entity that acts on behalf of a system rather than a person. It includes service accounts, API keys, tokens, certificates, workloads, bots, and AI agents. Governance focuses on ownership, lifecycle, access scope, and revocation.
• Phishing-Resistant MFA: Phishing-resistant MFA uses authentication factors that cannot be easily replayed, intercepted, or socially engineered. In regulated environments, this usually means device-bound or cryptographic methods rather than push prompts or SMS codes, because the control must hold up under realistic attack conditions.
• Asset Inventory: An asset inventory is the authoritative list of systems, services, and dependencies an organisation operates. In identity governance, it is the baseline that tells teams where access exists, who owns it, and which credentials should be revoked when systems change or retire.
• Certification Evidence: Certification evidence is the documentation used to prove that required controls are actually operating. For cybersecurity regulations, that usually includes access reviews, exception approvals, inventory records, incident logs, and configuration proof retained long enough to support executive sign-off.

Deepen your knowledge

NYDFS Part 500, phishing-resistant MFA, and NHI lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a regulated identity programme under similar constraints, it is worth exploring.

This post draws on content published by Beyond Identity: NYDFS Part 500 in 2025: Key Deadlines, New Requirements, and Compliance Strategies. Read the original.