NHI provisioning is broken: where does governance fail first?

TL;DR: Broken NHI provisioning creates orphaned accounts, over-permissioned identities, and secrets that never rotate, while AI workloads and agentic architectures amplify the sprawl, according to Oasis Security. The real failure is treating provisioning as a one-time task instead of a lifecycle control point that establishes ownership, policy, and accountability from day one.

NHIMG editorial — based on content published by Oasis Security: What is Non Human Identity provisioning and why is it broken?

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.

Questions worth separating out

Q: What breaks when NHI provisioning is treated as a one-time task?

A: When provisioning is treated as a one-time task, organisations lose the metadata needed to govern the identity after creation.

Q: Why do poorly governed NHIs increase lateral movement risk?

A: Poorly governed NHIs often retain more access than they need and keep credentials active long after the original task changes.

Q: How do security teams know if NHI provisioning is actually working?

A: Provisioning is working when every identity is traceable from creation through retirement, with clear ownership, documented purpose, and enforced rotation.

Practitioner guidance

• Require lifecycle metadata at creation Make owner, purpose, system of record, and retirement condition mandatory before an NHI can receive credentials.
• Block credential issuance outside governed workflows Prevent developers and automation from minting production identities through ad hoc scripts, chat requests, or manual handoffs.
• Bind automation to policy, not tribal knowledge Translate common provisioning patterns into enforceable policy so least privilege, vaulting, and rotation are applied consistently across teams and environments.

What's in the full article

Oasis Security's full blog post covers the operational detail this post intentionally leaves for the source:

• A manual provisioning flow for Azure service principals with the specific handoffs and approval steps involved
• Concrete examples of broken provisioning patterns such as Slack-shared API keys, unrevoated secrets, and over-permissioned service accounts
• The article's proposed governance pattern for automating provisioning with policy enforcement, ownership assignment, and least privilege
• The vendor's perspective on how to scale NHI provisioning across hybrid and multi-cloud environments

👉 Read Oasis Security's analysis of why NHI provisioning is broken →

NHI provisioning is broken: where does governance fail first?

Explore further

View Full Forum →  |  NHI Foundation Course →