Notifications
Clear all
Topic starter
06/06/2026 2:02 am
TL;DR: Thanksgiving is used as an analogy for NHI governance: organisations must know which applications, APIs, and workloads are present, assign clear roles and policies, and clean up stale permissions, unrotated secrets, and unused credentials, according to Oasis Security. The central lesson is that identity inventory and lifecycle hygiene are the real control plane, not holiday-style coordination.
NHIMG editorial — based on content published by Oasis Security: The feast of security: what Thanksgiving can teach us about protecting Non-Human Identities
Questions worth separating out
Q: How should security teams build an inventory of non-human identities?
A: Start by discovering every system that can authenticate without a person present, including workloads, APIs, service accounts, certificates, and tokens.
Q: Why do stale credentials create such persistent NHI risk?
A: Because credentials often remain valid after the business need has ended, which means access continues even when accountability has already drifted.
Q: What do security teams get wrong about NHI role assignment?
A: They often map roles to convenience instead of the actual workload function.
Practitioner guidance
- Build a complete NHI inventory Inventory applications, APIs, workloads, service accounts, secrets, and certificates across cloud, CI/CD, and third-party integrations, then assign an owner to each identity.
- Define task-scoped roles for machine identities Replace broad inherited permissions with narrowly scoped roles that match the actual function of each identity, and review role drift during change management.
- Remove stale credentials on a lifecycle schedule Tie rotation, revocation, and decommissioning to business ownership so unused API keys, tokens, and certificates do not survive past their purpose.
What's in the full article
Oasis Security's full blog post covers the operational detail this post intentionally leaves for the source:
- The full Thanksgiving-themed walkthrough that maps each holiday analogy to a specific NHI governance practice
- Oasis Security's examples of how policy-driven automation is positioned around identity roles and permission boundaries
- The article's own framing of stale permissions, unrotated secrets, and unused credentials as the security equivalent of leftovers
- The surrounding blog links that connect this post to related NHI governance topics across discovery, OAuth, and workload identity
👉 Read Oasis Security's Thanksgiving-themed post on NHI governance and lifecycle cleanup →
NHI guest lists and leftover credentials: what teams need to fix?
Explore further
06/06/2026 3:29 am
Identity inventory is the real starting point for NHI governance. The article gets that basic truth right, even if it uses a holiday metaphor to make the point. Organisations cannot govern what they cannot see, and hidden applications, APIs, workloads, and service accounts create blind spots that undermine every downstream control. The implication is simple: inventory is not documentation, it is the control plane for NHI governance.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who should be accountable for rotating and revoking machine credentials?
A: The identity owner and the system owner should both be accountable, with clear deadlines for rotation, revocation, and decommissioning. If ownership is ambiguous, credentials tend to survive by default. Accountability works only when the lifecycle state of each identity is tracked and enforced.
👉 Read our full editorial: Thanksgiving shows why NHI governance starts with identity inventory
