Notifications
Clear all
Topic starter
06/06/2026 1:56 am
TL;DR: A healthcare provider with more than 100,000 non-human identities, 50,000 certificates, 10,000 service accounts, and 133 unused service principals found in Azure showed how quickly hybrid environments outgrow manual NHI governance, according to Oasis Security. The lesson is that visibility, ownership, and rotation are now baseline identity controls, not optional clean-up work.
NHIMG editorial — based on content published by Oasis Security: How a Healthcare provider gained comprehensive NHI visibility with Oasis
By the numbers:
- An initial analysis of their Azure environment revealed 133 service principals hadn’t been used in over 30 days.
- 46 privileged secrets hadn’t been rotated in months.
Questions worth separating out
Q: What breaks when non-human identities are not fully visible across hybrid environments?
A: When NHIs are not fully visible, teams lose the ability to identify stale accounts, over-privileged access, and unused credentials before they become exposure.
Q: Why do service accounts and secrets with standing access increase risk in cloud environments?
A: Standing access increases risk because dormant credentials remain valid even when the business no longer needs them.
Q: What do security teams get wrong about NHI ownership in hybrid estates?
A: Teams often treat ownership as an administrative label instead of an enforceable control.
Practitioner guidance
- Inventory every NHI across hybrid estates Build a unified register for service principals, certificates, service accounts, and API keys across cloud and on-premises systems.
- Enforce usage-based decommissioning Trigger deactivation when privileged identities cross defined inactivity thresholds, and require tickets plus alerts for every automatic disablement.
- Rotate privileged secrets on policy, not memory Automate secret rotation for identities with elevated access and block exceptions from becoming permanent.
What's in the full article
Oasis Security's full blog covers the operational detail this post intentionally leaves for the source:
- The specific three-step visibility, security, and governance workflow the healthcare provider used to reduce risk.
- The Azure-focused findings across 30+ subscriptions and 3 vaults that informed prioritisation.
- The automation pattern for credential rotation and automatic decommissioning of inactive privileged identities.
- The reporting and triage process that turned identity findings into measurable risk reduction.
👉 Read Oasis Security's case study on achieving comprehensive NHI visibility in healthcare →
NHI visibility at scale: what this healthcare case means for IAM teams?
Explore further
06/06/2026 3:19 am
Manual NHI governance collapses first at the visibility layer. When an organisation cannot see its full inventory of certificates, service accounts, and secrets, every downstream control becomes partial. That is why hybrid environments with tens of thousands of identities drift into unmanaged risk even before a breach occurs. The field should treat unified discovery as the first governance control, not an operational nicety.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Another finding from the same report shows that enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.
A question worth separating out:
A: Accountability should sit with the identity owner and the operating team responsible for lifecycle enforcement, but the broader organisation is accountable for allowing the control gap to persist. Frameworks such as the NIST Cybersecurity Framework 2.0 reinforce that identity governance is an ongoing responsibility, not a one-time setup.
👉 Read our full editorial: Healthcare NHI visibility shows why manual governance breaks at scale
