NHI ownership attestation: what IAM teams need to fix now

TL;DR: Ownership discovery and attestation are intended to keep non-human identities accurate, accountable, and compliant over time, while reducing manual review cycles, unresolved ownership, and audit friction, according to Oasis Security. The governance issue is not review cadence alone, but the fact that many NHI programmes still cannot prove who owns what, when access is no longer needed, or whether attestation decisions are timely.

NHIMG editorial — based on content published by Oasis Security: Solving Non Human Identity Ownership with Oasis, Part 2: Ownership attestation

By the numbers:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging (37%) and over-privileged accounts (37%).

Questions worth separating out

Q: How should security teams handle NHI ownership when no clear owner exists?

A: Treat the identity as an exception, not as an acceptable default.

Q: Why do campaign-based reviews often miss NHI risk?

A: Because they measure a point in time, while NHI risk changes across the lifecycle.

Q: What breaks when NHI attestation is not tied to deprovisioning?

A: The process becomes a reporting exercise instead of a control.

Practitioner guidance

• Map every NHI to a named accountable owner Require a business or technical owner before an identity is allowed to enter production, and flag any orphaned NHI as an exception that must be resolved before the next certification cycle.
• Tie attestation to lifecycle change events Trigger reviews when applications change teams, when service accounts are repurposed, or when integration ownership shifts, instead of waiting only for quarterly or annual campaign windows.
• Make attestation outcomes enforceable Connect approved, not needed, and not the owner responses to deprovisioning, reassignment, or escalation workflows so the review produces a state change.

What's in the full article

Oasis Security's full blog covers the operational detail this post intentionally leaves for the source:

• The ownership discovery workflow used to suggest the most probable owner when identity data is incomplete.
• The attestation campaign flow for approvals, reassignment, and not-needed outcomes across NHI populations.
• The notification mechanics for email and Slack delivery to designated owners.
• The reporting and audit-trail details that show how attestation evidence is preserved for compliance reviews.

👉 Read Oasis Security's post on NHI ownership discovery and attestation →

NHI ownership attestation: what IAM teams need to fix now?

Explore further

View Full Forum →  |  NHI Foundation Course →