Unmanaged endpoints expose the blind spot in NHI governance

At a glance

What this is: This analysis argues that unmanaged endpoints are a governance gap, not just a device hygiene problem, because they expose credentials, sessions, and machine identities outside IT control.

Why it matters: For IAM and NHI teams, unmanaged endpoints change the trust model for contractors, remote staff, and shared-device workflows, making session controls and credential scoping operationally necessary.

By the numbers:

• 80% of ransomware attacks originate from unmanaged devices, with 60% of those leveraging remote encryption, according to the Microsoft Digital Defense Report 2023.
• Users on unmanaged devices are 71% more likely to face malware, according to Microsoft Digital Defense Report 2023.
• Nearly 70% of organizations have been victimized by cyberattacks exploiting unmanaged or poorly managed devices, according to Microsoft Digital Defense Report 2023.

👉 Read CyberArk's analysis of unmanaged endpoint risks for remote access

Context

Unmanaged endpoints are personal or shared devices that sit outside standard enterprise control, which means security teams cannot assume the device, browser, or local storage is trustworthy. In hybrid work, that matters for NHI governance because contractors, partners, and employees often reach corporate systems from devices the organisation does not manage end to end.

The issue is not merely remote access. It is the combination of unmanaged devices, persistent credentials, and session exposure that breaks familiar IAM assumptions. That is why the problem maps directly to NHI controls for secrets, sessions, and machine identities, not just endpoint policy.

CyberArk frames the risk through remote work and browser-based access, which is a typical starting position for this problem class. The underlying governance lesson is broader: once access moves onto a device outside your control, privilege becomes harder to constrain and much easier to abuse.

Key questions

Q: How should security teams govern access from unmanaged endpoints?

A: Security teams should treat unmanaged endpoints as conditional trust zones, not normal access paths. Grant only the minimum access needed, enforce session controls, and require stronger verification for sensitive actions. Where possible, move users toward browser-mediated or isolated access that keeps credentials, cookies, and downloads away from local device storage.

Q: What is the difference between device trust and identity trust in IAM?

A: Identity trust answers who or what is authenticated. Device trust answers whether the endpoint used for that access is trustworthy enough to handle the session. In unmanaged environments, those are not the same thing. A valid identity on an untrusted device can still create credential theft, token leakage, or data exfiltration risk.

Q: Why do unmanaged endpoints increase NHI risk?

A: Unmanaged endpoints increase NHI risk because they expose the tools that non-human identities rely on, including tokens, secrets, and session artifacts. If an attacker gains control of the device, they may reuse those artefacts against corporate systems. That makes endpoint governance part of NHI security, not just user-device management.

Q: Should organisations allow contractors to access sensitive systems from personal devices?

A: Only if the organisation can impose compensating controls that match the risk. That usually means strong session isolation, limited entitlements, time-bounded access, and clear offboarding. If those controls are not available, the safer choice is to block the access path rather than rely on trust in an unmanaged device.

Technical breakdown

Why unmanaged endpoints change the trust model for NHI access

An unmanaged endpoint is any device the enterprise does not fully control for configuration, patching, storage, or monitoring. That matters because access from such a device breaks the usual trust chain between identity proofing, device posture, and session assurance. For NHI use cases, the same problem applies to service access, contractor workflows, and delegated access paths: credentials may be valid even when the endpoint is not trustworthy. Browser isolation, token substitution, and session controls reduce exposure, but they do not create trust in the device itself.

Practical implication: Treat device trust as a prerequisite for high-risk access, and apply compensating controls when unmanaged endpoints cannot be eliminated.

How session security limits credential and data exposure

Session security focuses on what happens after authentication. Instead of assuming that login alone is enough, it tracks the live session with continuous authentication, auditing, and exfiltration controls. That is useful on unmanaged devices because the browser cache, clipboard, downloads, and local files can leak sensitive material even when passwords are protected. Session recording adds accountability, but the stronger control is prevention of data movement into places the organisation cannot inspect. For NHI governance, session security is a control layer around access, not a replacement for least privilege.

Practical implication: Use session controls for remote contractors and privileged workflows where the endpoint cannot be enrolled or hardened.

Why password vaulting and rotation only solve part of the problem

Centralised vaulting and automatic rotation reduce the shelf life of exposed credentials, which is important when unmanaged endpoints may be compromised. But these controls address only one part of the chain. If the endpoint can capture a session token, browser cookie, or remote support API key, rotation may come too late. In other words, the credential is safer, but the access path may still be vulnerable. The architectural lesson is that NHI security must cover the secret, the session, and the device that uses them.

Practical implication: Pair rotation with session isolation and device-aware access rules so exposure does not simply move from passwords to tokens.

Threat narrative

Attacker objective: The attacker wants to turn a single unmanaged device compromise into reusable access that reaches corporate data and privileged workflows.

1. Entry occurs when a user or contractor authenticates from an unmanaged endpoint that the attacker can compromise through malware, remote support abuse, or local exposure of browser artifacts.
2. Escalation follows when stored credentials, cookies, or a remote support API key are harvested from the device or session context and reused against corporate systems.
3. Impact occurs when the attacker pivots into sensitive applications or unclassified documents and extends access beyond the original endpoint compromise.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Unmanaged endpoints are an NHI governance problem, not an endpoint side issue. The article correctly frames the device as the place where credentials, sessions, and contractor access can all fail at once. That means identity teams have to think beyond login policy and into device trust, session scope, and the allowable use of corporate access on personal hardware. The governance conclusion is straightforward: if the endpoint is outside control, access must be treated as conditional, not assumed safe.

Ephemeral credential handling is only effective when the access path is also constrained. Rotation, vaulting, and token substitution reduce exposure windows, but they do not neutralise browser theft, session hijack, or remote support abuse. In NHI terms, the trust boundary is wider than the secret itself. The practical conclusion is that teams need layered controls around every access path that touches unmanaged devices.

Contractor and third-party access is where unmanaged endpoint risk becomes hardest to absorb. External users often need narrow, time-bound access but operate under weaker device standards and weaker monitoring expectations. That combination creates identity blast radius if sessions are not isolated and entitlements are not tightly scoped. The field should treat third-party endpoint governance as part of the same policy domain as NHI lifecycle control.

Browser-based controls reduce exposure, but they do not replace Zero Trust Architecture. Secure browsers, session recording, and token substitution are useful because they narrow what can be stolen from the endpoint. Yet Zero Trust only works when the organisation continuously verifies identity, device posture, and session risk. The practitioner takeaway is that unmanaged access should trigger stricter verification, not wider convenience.

From our research:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
• Only 13% of organisations feel extremely prepared for the reality of agentic AI, which shows how quickly identity assumptions are being outpaced by autonomous access patterns.
• For a deeper control baseline, compare this with 52 NHI Breaches Analysis for recurring failure modes in credential and session governance.

What this signals

Ephemeral access does not remove trust debt: unmanaged endpoints show how quickly an apparently temporary session can become a durable exposure path if device posture is invisible. With 67% of organisations still relying heavily on static credentials despite the risks they pose to agentic AI deployments, access governance has to account for both session life and secret life, not just login events.

The programme implication is that contractor access, shared-device use, and browser-mediated workflows now need the same scrutiny as privileged admin access. Teams should map every path where a secret, cookie, or token can leave the control boundary, then align those paths with Zero Trust Architecture and NHI lifecycle controls. That is the practical shift from endpoint hygiene to identity containment.

For practitioners

• Classify unmanaged endpoints as high-risk access paths Require explicit policy for personal laptops, shared devices, and contractor workstations. Tie access approval to the sensitivity of the application, the data class involved, and whether the endpoint can be inspected or enrolled.
• Enforce session controls for remote and contractor workflows Use continuous authentication, session recording, and exfiltration controls for access that cannot be limited to managed devices. Prioritise high-value applications where a stolen browser session would create immediate impact.
• Reduce credential longevity across unmanaged access paths Store secrets in a central vault, rotate them automatically, and limit direct password use wherever possible. Focus on the full access path, including cookies, tokens, and remote support API keys.
• Separate device trust from identity trust in access policy Do not treat successful authentication as proof that the endpoint is safe. Combine identity checks with posture checks, conditional access, and step-up verification when users connect from untrusted hardware.
• Review third-party access as part of NHI lifecycle governance Apply onboarding, approval, time limits, and offboarding to contractors and other external users with unmanaged devices. Use the Ultimate Guide to NHIs for lifecycle thinking and the OWASP Non-Human Identity Top 10 for control mapping.

Key takeaways

• Unmanaged endpoints turn remote work into an identity-governance problem because access can be legitimate while the device remains untrusted.
• Credential rotation helps, but it does not close the gap if cookies, tokens, or remote-support artefacts can still be harvested from the endpoint.
• The right response is layered control: conditional access, session isolation, tighter contractor scope, and explicit lifecycle rules for every unmanaged access path.

Key terms

• Unmanaged Endpoint: A device that the organisation does not fully administer, monitor, or harden under its standard endpoint controls. In practice, this includes personal laptops and shared computers used for corporate access, where local storage, browser state, and device posture may not meet enterprise trust requirements.
• Session Security: A control layer that protects what happens after authentication, not just the login event itself. It can include continuous verification, session recording, and data loss controls so that credentials, browser artefacts, and sensitive actions remain protected during live access.
• Remote Support API Key: A machine credential used by support or access tools to authenticate remote operations. If exposed on an unmanaged device, it can become a high-value reusable secret because it may bypass normal user-password protections and give attackers a direct path into corporate systems.

Deepen your knowledge

Unmanaged endpoint governance is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your organisation supports contractors or remote users from personal devices, it is worth exploring.

This post draws on content published by CyberArk: Unmanaged Endpoints: Your Security Blind Spot. Read the original.