TL;DR: Evidence-based assurance depends on repeatable control performance over time, as PassBolt completed a SOC 2 Type II audit after about 120 tests across policies, infrastructure, logical access, backup, disaster recovery, and incident response controls. Annual attestation is only meaningful when identity, access, and operational controls are consistently governed, not just documented.
At a glance
What this is: Passbolt reports completion of a SOC 2 Type II audit and describes the control areas and testing depth behind it.
Why it matters: It matters because IAM, NHI, and security teams need repeatable evidence that access, change, and recovery controls operate consistently, not just at a point in time.
By the numbers:
- To obtain our audited SOC 2 Report, a third-party auditor, Johanson Group LLP, reviewed our internal controls through a series of around 120 tests.
👉 Read Passbolt’s security and compliance roundup on SOC 2 Type II and audits
Context
SOC 2 Type II is an attestation about whether security controls are operating consistently over time, not whether a company can document them on a single day. For identity and access teams, that distinction matters because logical access, change management, and incident response controls are only as strong as their evidence trail.
Passbolt’s roundup is a useful reminder that compliance evidence and identity governance overlap more than many teams assume. When service accounts, secrets, and privileged access are in scope, audit readiness depends on lifecycle discipline, review cadence, and control testing that survives repeated scrutiny.
For organisations building NHI and IAM programmes, the practical question is not whether a control exists on paper. It is whether the control can be demonstrated under audit pressure, across operational change, and through the full credential lifecycle.
Key questions
Q: How should security teams prepare for SOC 2 Type II when NHI controls are in scope?
A: They should treat non-human identities as part of the same control environment as human access, not as a separate exception bucket. The audit evidence needs to show who owns each credential, how it is approved, how often it is reviewed, and how revocation is proved when access is no longer needed. Durable evidence matters more than policy language.
Q: Why do service accounts and tokens create audit risk in compliance programmes?
A: Because they often outlive the business justification that created them. If rotation, offboarding, and review are weak, auditors may still see documented controls while the operational reality is persistent access, stale secrets, and unclear ownership. That gap turns identity governance into a paper exercise instead of a demonstrable control.
Q: What do security teams get wrong about annual audits and identity governance?
A: They assume a successful annual review proves the programme is healthy. In reality, an audit only shows that controls were evidenced during a limited period. If the lifecycle process is weak between audits, service accounts, tokens, and privileged access can drift well outside intended policy before the next review cycle starts.
Q: Which frameworks help align identity controls with compliance evidence?
A: NIST Cybersecurity Framework 2.0 is a useful starting point because it links governance, protection, detection, response, and recovery into one operational model. For identity teams, the key is to map access control, logging, and recovery evidence to the same framework so audit preparation and security operations reinforce each other.
Technical breakdown
SOC 2 Type II evidence and control design
SOC 2 Type II is about operating effectiveness, not just control design. Auditors test whether the organisation can show that policies, procedures, and technical safeguards are consistently applied across a defined period. In identity programmes, that means access approvals, privileged activity, logging, and change records must all line up. A one-off review may satisfy intent, but recurring evidence is what proves the control really exists. That distinction is central for teams managing service accounts, admin access, and other non-human identities that accumulate risk through repetition rather than drama.
Practical implication: build audit evidence from the same systems that govern access, logging, and change so controls can be proven repeatedly.
Logical access and change management in identity programmes
Logical access controls answer who can reach what, while change management answers who can alter the environment that grants that access. In practice, these two controls fail together when secrets are stored loosely, access is inherited without review, or infrastructure changes are not tied to approval records. For NHI governance, this creates blind spots around API keys, service accounts, and administrative tokens because the object being controlled is often invisible to the business owner. SOC-style testing exposes whether those identities are actually governed or merely deployed.
Practical implication: tie every privileged identity and secrets change to a documented owner, approval path, and review artefact.
Why annual audits are not a substitute for lifecycle governance
An annual audit can confirm that controls worked during the review window, but it cannot compensate for weak lifecycle processes between audits. Joiner-mover-leaver handling, secret rotation, offboarding, and recertification determine whether access stays aligned with business need. That matters for machine identities as much as for people, because stale credentials and unrevoked tokens create persistent exposure long after the original justification is gone. Compliance evidence becomes much stronger when governance is embedded into the operational lifecycle instead of attached after the fact.
Practical implication: treat audit preparation as a by-product of lifecycle governance, not as a separate compliance project.
NHI Mgmt Group analysis
SOC 2 Type II is really a lifecycle test for identity control, not a paperwork exercise. The article shows that Passbolt is measuring repeatable performance across access, change, and recovery controls, which is exactly where identity programmes often drift from policy into exception handling. For IAM and NHI teams, the meaningful question is whether the same control can survive repeated testing over time. Practitioners should treat Type II as a discipline check on governance consistency.
Non-human identities are part of the audit surface, even when the report does not name them explicitly. Logical access, secrets handling, and infrastructure change all depend on machine credentials somewhere in the stack. When those credentials are not lifecycle-managed, the audit may pass on process evidence while exposure persists operationally. The practitioner conclusion is clear: NHI governance must be traceable enough to satisfy the same evidentiary standard as human privileged access.
Audit maturity and identity maturity are converging metrics. Organisations that cannot demonstrate access control consistency usually also struggle with rotation, offboarding, and privilege review across service accounts and tokens. Passbolt’s emphasis on repeated testing reflects a wider market shift toward evidence-backed governance rather than declarative security claims. Teams should align their identity programme metrics with audit artefacts, not with policy documents alone.
Ultimate Guide to NHIs - Lifecycle Processes for Managing NHIs remains the better lens for the control problems this kind of audit exposes. The core issue is not whether an audit exists, but whether provisioning, rotation, recertification, and offboarding are measurable and enforceable. SOC 2 Type II raises the bar by forcing those processes to leave durable evidence. Practitioners should use that pressure to close the gap between identity policy and operational proof.
Security transparency only works when the organisation can show control behaviour, not just control intent. The combination of external audit, internal testing, and repeatable evidence is what turns security claims into governance assurance. For teams running human IAM, NHI, and PAM together, that means a single control failure can undermine multiple assurance narratives at once. The practical takeaway is to design identity controls as auditable systems from the start.
From our research:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- A separate finding shows that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which is a direct governance blind spot for delegated access.
- That visibility gap makes the case for Ultimate Guide to NHIs - Lifecycle Processes for Managing NHIs stronger, because lifecycle discipline is what turns control claims into auditable evidence.
What this signals
Audit pressure is pushing identity teams toward evidence-first governance. The organisations that can show repeatable access, change, and recovery evidence will be better placed to defend their control posture when regulators, customers, or auditors ask how access is actually governed. For NHI programmes, that means the record of rotation, review, and offboarding needs to be as strong as the control itself.
Lifecycle discipline is becoming the dividing line between compliance theatre and real assurance. If a service account, token, or certificate cannot be traced through approval, usage, and revocation, the control environment is already weaker than the policy says. Teams should expect more scrutiny on whether identity evidence is durable enough to survive audit sampling.
The broader signal is that human IAM and NHI governance are converging operationally even if the tooling stacks remain separate. Programmes that standardise evidence collection across both will reduce audit friction and expose privilege drift earlier than teams that still treat machine identities as a side channel.
For practitioners
- Map audit evidence to identity control owners Link each logical access, change management, and incident response control to a named owner and a reusable evidence source so auditors can trace it without manual reconstruction.
- Track non-human identities in the same evidence model Include service accounts, API keys, tokens, and certificates in access reviews, approval logs, and change records so machine identities do not sit outside the audit trail.
- Test control consistency across the credential lifecycle Verify that provisioning, rotation, recertification, and offboarding all produce durable evidence in the systems of record rather than in ad hoc spreadsheets or email.
- Use audit findings to harden privileged access governance Feed recurring audit observations into PAM and IAM remediation work, especially where logical access exceptions or missing change records expose persistent privilege.
Key takeaways
- Passbolt’s SOC 2 Type II update is a reminder that compliance is only credible when controls can be demonstrated repeatedly over time.
- Identity governance, logical access, and lifecycle evidence are the controls most likely to determine whether audit claims hold up under scrutiny.
- Teams that want stronger assurance should build repeatable evidence for human and non-human identities into the same operational workflow.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Audit evidence hinges on access permissions being managed consistently. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Rotation and lifecycle control are central to credential governance. |
| NIST Zero Trust (SP 800-207) | AC-2 | Continuous verification aligns with repeatable control testing. |
Track NHI rotation and offboarding evidence against NHI-03 so credentials can be audited end to end.
Key terms
- Soc 2 Type II: A SOC 2 Type II report evaluates whether security controls are not only designed well but also operated consistently over time. For identity programmes, it is evidence that access, logging, and change processes can be demonstrated repeatedly rather than described once.
- Logical Access Control: Logical access control governs who or what can reach systems, data, or administrative functions. In NHI and IAM programmes, it includes approvals, entitlement scope, and evidence that access remains appropriate throughout the credential lifecycle.
- Credential Lifecycle: Credential lifecycle is the full path from creation and approval through use, rotation, review, and revocation. For non-human identities, it is the difference between a controlled secret and a persistent exposure that no longer matches business need.
- Audit Evidence: Audit evidence is the record that proves a control actually operated during the period under review. In identity security, it includes approvals, logs, review outcomes, and revocation records that show access governance was real, repeatable, and traceable.
What's in the full article
Passbolt's full roundup covers the operational detail this post intentionally leaves for the source:
- The specific audit areas reviewed across policies, procedures, and infrastructure controls.
- The breakdown of six separate security audits and what each one covered in the passbolt ecosystem.
- The practical context behind the SOC 2 Type II report request process for customers.
- The additional certifications and labels Passbolt says it is pursuing next.
👉 The full Passbolt roundup includes the audit scope, control areas, and certification roadmap.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2025-12-01.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org