By NHI Mgmt Group Editorial TeamPublished 2026-06-24Domain: AnnouncementsSource: Linx Security

TL;DR: The underlying governance issue is not reporting speed but whether identity teams can keep lifecycle, access review, and NHI oversight current as the environment changes, according to Linx Security. AI-scheduled reports turn recurring identity questions into automated outputs across users, non-human identities, entitlements, resources, and AI agents, including dormant admin accounts, partially offboarded users, orphaned accounts, and agent permissions.


At a glance

What this is: This is a product announcement about scheduled identity reporting for access, lifecycle, and AI agent visibility, with the key finding that recurring questions can be operationalised into repeatable governance checks.

Why it matters: It matters because identity teams need recurring, auditable views of NHI, autonomous, and human access conditions before weak lifecycle controls turn into standing risk.

👉 Read Linx Security's post on scheduled identity reports for access and lifecycle checks


Context

Identity teams often lose control when access questions are answered once and then forgotten. Scheduled reporting turns those questions into repeatable checks, which matters because identity governance breaks down when review cadences are too slow for the pace of access change across users, non-human identities, and AI agents.

The central governance gap is not whether teams can ask better questions, but whether they can operationalise those questions into recurring evidence. That becomes critical for lifecycle review, orphaned account detection, and visibility into AI agents that can touch systems and data in ways traditional access review processes were not built to follow.


Key questions

Q: What breaks when identity teams rely on one-off access reviews instead of scheduled reporting?

A: One-off reviews miss the state changes that happen between review cycles, especially in environments with frequent joiner, mover, leaver, and entitlement changes. Scheduled reporting helps teams see dormant admin accounts, partially offboarded users, and orphaned accounts on a repeatable basis so the work does not depend on memory, tickets, or manual follow-up.

Q: Why do partially offboarded users create more risk than teams expect?

A: They show that deactivation has happened in one system but not everywhere else, which means access can persist after the business believes it has ended. That creates a hidden control gap across applications, especially in large organisations where identity data is distributed and offboarding often spans several owners.

Q: How can security teams use AI agent reports without creating more governance noise?

A: Start by using the reports to build a complete inventory of AI agents, their permissions, and the resources they can reach. Then tie every recurring report to an owner and a response path. If the report cannot lead to a documented decision or remediation step, it is only adding noise.

Q: Who should own recurring identity reports for access and lifecycle issues?

A: Ownership should sit with the team that can act on the finding, not the team that generated it. Access review exceptions belong with IAM or IGA owners, offboarding gaps belong with lifecycle owners, and AI agent permissions need clear accountability before they are allowed to operate at scale.


Technical breakdown

Scheduled identity reporting and identity graph queries

Scheduled identity reporting sits on top of an identity graph that connects identities, entitlements, resources, and relationships. The value is not in natural-language input alone, but in converting that query into a repeatable data pull that can be rerun on a cadence. In practice, this works best when the graph is authoritative enough to answer lifecycle and access questions without manual reconciliation across spreadsheets and ticket queues. Practical implication: treat scheduled reports as evidence generation, not just convenience reporting.

Practical implication: treat scheduled reports as evidence generation, not just convenience reporting.

Partially offboarded users and orphaned accounts

A partially offboarded user is someone whose official status says they should be deactivated, yet they still retain active accounts in one or more applications. An orphaned account is different: it exists in a system without a corresponding authoritative identity source. Both conditions indicate lifecycle drift, but they fail in different places. One is an incomplete deprovisioning process, the other is a gap between source-of-truth identity and downstream application state. Practical implication: monitor these as separate control failures, not one blended hygiene issue.

Practical implication: monitor these as separate control failures, not one blended hygiene issue.

AI agent visibility and permission inventory

AI agents create a new governance problem because they can hold permissions, call tools, and reach data stores without fitting neatly into human access review patterns. A complete inventory needs to show the agent, the applications it can reach, the tools it can invoke, and the permissions attached to each. That is a governance baseline, not an advanced feature, because you cannot review or constrain what you cannot enumerate. Practical implication: require agent-level inventory before allowing recurring access reviews or automated remediation to touch them.

Practical implication: require agent-level inventory before allowing recurring access reviews or automated remediation to touch them.


NHI Mgmt Group analysis

Scheduled identity reporting is a governance mechanism, not a reporting feature. The article shows that recurring questions become more valuable when they are tied to identity lifecycle, access review, and entitlement drift. That shifts the problem from ad hoc investigation to repeatable control evidence. The practitioner takeaway is that reporting should be measured by its ability to expose actionable governance states, not by how quickly it answers a question.

Partially offboarded users are a lifecycle failure, not a cleanup inconvenience. The failure mode is incomplete deprovisioning across applications after the authoritative identity has moved on. That matters because access review cadences often miss the gap between source-of-truth status and application reality. The practitioner takeaway is that offboarding must be evaluated as an end-to-end control outcome, not a ticket closure metric.

AI agent inventories should be treated as a prerequisite for governance, not a downstream optimisation. The article correctly places agent permissions, tools, and resource access inside the identity graph because autonomous software entities can accumulate operational reach quickly. That creates a named concept worth tracking: agent visibility debt: the backlog created when AI agents are deployed faster than their permissions and tool access can be enumerated. The practitioner takeaway is to block recurring review automation until the agent estate is visible enough to govern.

Identity graphs are becoming the control plane for cross-domain lifecycle oversight. The article connects users, NHIs, entitlements, resources, and AI agents in one view, which reflects where identity governance is heading. Separate tools can still exist, but the operational question is increasingly whether teams can assess risk across identity types without reconstructing context by hand. The practitioner takeaway is to align reporting, reviews, and remediation around one governed identity model.

Recurring reports expose the difference between visibility and control. Seeing dormant admin accounts or orphaned accounts does not by itself reduce risk. The value appears when the report is tied to a response path that is consistent, repeatable, and owned by the right team. The practitioner takeaway is to define the action trigger before automating the report cycle.

From our research:

  • 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing that notification alone does not close the exposure window.
  • That persistence makes 52 NHI Breaches Analysis a useful next reference point for teams studying how identity exposure turns into compromise.

What this signals

agent visibility debt: the backlog created when AI agents and service identities are deployed faster than their permissions can be reviewed. For identity teams, that means scheduled reporting should be evaluated as a control signal, not a productivity feature, and the review model should be able to separate human accounts from non-human access paths.

Recurring identity reporting will become a stronger indicator of programme maturity than isolated access review activity. When reports can be tied to lifecycle outcomes, entitlement cleanup, and agent inventory coverage, teams gain evidence that the programme is seeing the right objects rather than just producing more output.

The practical signal is whether recurring reports lead to durable change in the identity graph. If dormant admin accounts, orphaned accounts, and AI agent permissions keep reappearing unchanged, the programme has reporting coverage but not governance closure.


For practitioners

  • Automate recurring lifecycle checks for offboarding and orphaned access Turn the highest-friction identity review questions into scheduled reports for partially offboarded users, dormant admin accounts, and orphaned accounts. Route each report to the team that owns remediation, and require a clear action path for every exception.
  • Separate NHI, user, and AI agent review logic Do not let one access review template cover all identity types. Use distinct reporting criteria for human users, service accounts, and AI agents so that permissions, tool access, and lifecycle state are assessed against the correct governance model.
  • Inventory AI agents before allowing automated remediation Require a complete list of AI agents, their permissions, and their resource access before you let any automated report trigger cleanup actions. Without that inventory, you can create governance activity without knowing which non-human identities are actually in scope.
  • Tie scheduled reports to evidence, not convenience Use recurring reports to produce auditable proof of review coverage, not just inbox summaries. Track who received the report, what changed as a result, and whether the exception was closed inside the identity lifecycle process.

Key takeaways

  • Scheduled identity reporting turns repeat questions into repeatable governance evidence, which is more useful than ad hoc visibility.
  • Partially offboarded users and orphaned accounts remain distinct lifecycle failures, and both can hide in environments with fragmented identity ownership.
  • AI agent reporting only helps when the estate is enumerated first, because you cannot govern permissions that are not already visible.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Recurring reports support detection of stale and orphaned NHI access.
NIST CSF 2.0PR.AC-4Access permissions should reflect least privilege across identity types.
NIST Zero Trust (SP 800-207)Zero trust depends on continuous verification of identity state and access.

Use scheduled reporting to detect stale access and trigger remediation when lifecycle state drifts.


Key terms

  • Identity graph: An identity graph is a connected data model that links identities, entitlements, applications, resources, and relationships. In practice, it helps teams see who or what has access, how that access was granted, and where lifecycle or privilege drift is accumulating across the environment.
  • Partially offboarded user: A partially offboarded user is an identity whose official lifecycle status says access should be removed, but one or more active accounts still exist downstream. The term matters because it exposes incomplete deprovisioning across systems, which is a common source of residual access and audit findings.
  • Orphaned account: An orphaned account is an account that remains active in an application without a matching authoritative identity in HR, the identity provider, or another source of truth. These accounts often appear after manual creation, integration gaps, or failed offboarding, and they sit outside normal governance processes.
  • AI agent inventory: An AI agent inventory is a complete record of autonomous or semi-autonomous software entities, including their permissions, tools, and reachable resources. It is a governance baseline because teams cannot review, restrict, or remediate agent access until they know exactly what the agent estate contains.

What's in the full article

Linx Security's full post covers the operational detail this post intentionally leaves for the source:

  • Step-by-step setup flow for turning an identity question into a scheduled report
  • Examples of the exact report formats used for access review, offboarding, and AI agent visibility
  • Configuration options for recipients, frequency, and manual rerun behavior
  • Practical walkthrough of how the Linx AI Agent answers the underlying identity questions

👉 The full Linx Security post shows how scheduled reports are configured for recurring identity questions and review workflows.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-06-24.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org