Oasis Security’s stealth exit frames the NHI lifecycle gap

At a glance

What this is: This is Oasis Security’s stealth-exit blog post, and its key finding is that NHI growth has outpaced human-centric identity controls, making lifecycle governance and contextual visibility central.

Why it matters: It matters because IAM, PAM, and NHI programmes now have to govern service accounts, secrets, and tokens with the same discipline once reserved for human access, but at much larger scale and with weaker visibility.

By the numbers:

• 50 times in modern enterprises.
• Only 5.7% of organisations have full visibility into their service accounts.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.

👉 Read Oasis Security’s post on emerging from stealth and NHI lifecycle governance

Context

Non-human identity sprawl is no longer a narrow secrets-management issue. When service accounts, API keys, tokens, and certificates multiply faster than human identities, the security model shifts from user authentication to lifecycle governance, visibility, and revocation across machine-held access.

Oasis Security’s argument is that the real gap sits in context. Rotation and revocation are operational controls, but they only work when teams can see where identities exist, how they are used, and what they can reach. That starting point is typical of many enterprises, not an outlier.

Key questions

Q: How should security teams govern service account lifecycles at scale?

A: Start with inventory, ownership, and dependency mapping for every service account, API key, token, and certificate. Then define rotation, revocation, and retirement rules that match how each identity is actually used in production. Governance fails when teams manage credentials as isolated objects instead of as long-lived access paths tied to applications and business services.

Q: Why do NHIs create more governance risk than human accounts?

A: NHIs are created in large numbers, often carry broad permissions, and frequently persist without the same lifecycle discipline applied to people. They do not prompt MFA, ask for renewal, or self-report when they are no longer needed. That combination makes stale access, hidden ownership, and orphaned credentials much more likely.

Q: What breaks when organisations rotate secrets without visibility?

A: Rotation without visibility can break production workloads because teams do not know which systems depend on a credential or how widely it is reused. It also creates false confidence, because a secret may be changed in one place while still active elsewhere. Effective rotation depends on dependency awareness, not just a timer.

Q: Who is accountable for revoking unused machine identities?

A: Accountability should sit with the application owner, platform owner, or service owner who can confirm the identity is still needed. If no one can answer that question, the identity is already unmanaged. Mature programmes treat revocation as part of lifecycle ownership, not as an afterthought for security operations.

How it works in practice

Why NHI lifecycle management breaks at enterprise scale

Non-human identity lifecycle management covers issuance, rotation, revocation, and offboarding for machine identities such as service accounts, API keys, secrets, and tokens. The technical problem is not that these controls do not exist, but that they are often applied without complete inventory or usage context. Without that context, teams cannot tell which credentials are still active, which are orphaned, or which are tied to high-risk systems. The result is a governance blind spot where access persists longer than intended and remediation is slow to complete.

Practical implication: build an authoritative NHI inventory before treating rotation or revocation as complete controls.

How contextual visibility changes secret rotation and revocation

Contextual visibility means knowing where a credential lives, what workload uses it, which systems trust it, and whether it is still needed. Rotation without that context can create outages, while revocation without dependency mapping can break production services. In practice, the control failure is not simply stale secrets, but unmanaged coupling between identities and applications. That is why NHI governance has to track relationships, not just credential objects, and why lifecycle decisions need operational telemetry as well as policy.

Practical implication: map credential dependencies before shortening rotation intervals or accelerating revocation workflows.

Why service accounts create a larger attack surface than humans

Service accounts and other machine identities often carry broader permissions than individual users because they are built for system-to-system access, automation, and integration. When those identities are not tightly governed, they become durable access paths that bypass human authentication controls and remain active across environments. The key technical issue is not just privilege, but persistence: many machine identities are created once and then left to operate indefinitely. That is why lifecycle management must be tied to usage, ownership, and decommissioning.

Practical implication: treat every persistent machine identity as a living access path that requires ownership and retirement criteria.

NHI Mgmt Group analysis

Non-human identity growth has turned lifecycle governance into the control plane for modern IAM. Once machine identities outnumber humans at large multiples, the traditional access-review model stops being the primary line of defence. The discipline shifts to whether organisations can continuously inventory, rotate, and revoke access across service accounts, secrets, and tokens. The practitioner conclusion is simple: NHI lifecycle governance is now a core identity security function, not an adjacent hygiene task.

Visibility, not policy language, is the decisive failure point in NHI programmes. Oasis Security’s emphasis on holistic visibility reflects a broader market reality: organisations cannot govern what they cannot find or contextualise. That is why NHI management maps directly to OWASP-NHI and NIST-CSF ideas around identify, protect, detect, and recover. The practitioner implication is that control design must start with discovery and dependency mapping, not after the fact reviews.

Lifecycle management is the named concept that separates mature NHI programmes from secret sprawl. Rotation, revocation, and offboarding only matter when they are part of a lifecycle process that knows when an identity should exist at all. In practice, this means ownership, expiry, and decommissioning are not administrative extras but security controls. The practitioner conclusion is that machine identity governance should be measured by retirement outcomes, not credential count.

The security perimeter has shifted from endpoints to identities that never log out. Service accounts, API keys, and tokens operate continuously and often across systems that human-centric IAM never directly touches. That changes the governance question from who signed in to what can keep acting, where, and for how long. The practitioner conclusion is that the new perimeter is an identity lifecycle boundary, not a device boundary.

NHI programmes need controls that survive enterprise scale, not just point-in-time remediation. The article’s core message is that category growth exposes the limits of ad hoc secret cleanup and isolated revocation projects. Mature teams will align NHI visibility with ownership and retirement workflows so that remediation becomes repeatable. The practitioner conclusion is to treat lifecycle control as a programme capability, not a one-off incident response task.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to the same research.
• For a broader lifecycle lens, the Ultimate Guide to NHIs , Key Challenges and Risks explains why visibility, rotation, and offboarding fail together.

What this signals

Lifecycle governance is becoming the practical test of NHI maturity. Teams that can inventory identities, assign ownership, and prove retirement will be able to absorb machine identity growth without turning every secret into a permanent access path. Teams that cannot will keep mistaking cleanup activity for governance.

NHI sprawl is also a Zero Trust problem. If identities remain active outside the boundaries of clear ownership and context, then continuous verification never really starts. The NIST Cybersecurity Framework 2.0 is useful here because it forces programmes to connect govern, identify, protect, detect, respond, and recover rather than treating rotation as a standalone fix.

For practitioners

• Inventory all machine identities and their dependencies Build a complete map of service accounts, API keys, tokens, and certificates, including where each credential is used, which applications trust it, and who owns its lifecycle. Without that dependency map, rotation and revocation decisions will remain partial and risky.
• Tie every non-human identity to an owner and retirement rule Require a named business or technical owner for each machine identity, plus an explicit condition for revocation or decommissioning. Treat orphaned identities as governance failures, not just administrative cleanup.
• Separate rotation policy from operational readiness Do not shorten secret lifetimes until you can prove the affected workloads can tolerate change. Pair rotation with dependency testing, rollback planning, and service validation so the control reduces exposure without breaking production.
• Measure offboarding as a security outcome Track the percentage of service accounts and secrets that are retired on schedule, revoked when unused, and removed when the underlying application is decommissioned. Those metrics tell you whether NHI lifecycle governance is real or symbolic.

Key takeaways

• The article’s core message is that NHI growth has outpaced human-centric identity controls, making lifecycle governance the central security problem.
• Oasis Security’s claim that NHIs outnumber humans by 50 times underscores why visibility and ownership matter more than isolated rotation tasks.
• Practitioners should treat discovery, revocation, and retirement as one lifecycle programme, because secret management alone does not close the governance gap.

Key terms

• Non-Human Identity: A non-human identity is any digital identity used by software, services, or automation rather than a person. It includes service accounts, API keys, tokens, certificates, and similar credentials that authenticate machines and workloads. In governance terms, these identities need ownership, rotation, and retirement just as much as human accounts do.
• Lifecycle Governance: Lifecycle governance is the discipline of controlling when an identity is created, how it is used, when it is reviewed, and when it is removed. For non-human identities, the lifecycle is often shorter and more fragmented than for people, which makes discovery, dependency mapping, and offboarding essential security controls.
• Contextual Visibility: Contextual visibility means knowing not just that a credential exists, but where it is used, what it can access, and who depends on it. For machine identities, that context is what makes safe rotation and revocation possible. Without it, teams can neither measure risk accurately nor retire access without disruption.
• Secret Sprawl: Secret sprawl is the uncontrolled spread of credentials across code, configuration files, pipelines, vaults, and endpoints. It increases the chance that secrets remain valid after they should have been revoked and makes inventory and remediation much harder. In mature programmes, secret sprawl is treated as a governance failure, not a tooling inconvenience.

Deepen your knowledge

NHI lifecycle management and remediation are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building governance around service accounts, secrets, and tokens, it is worth exploring.

This post draws on content published by Oasis Security: Oasis Security Emerges from Stealth. Read the original.