Oasis NHI provisioning and the governance gap teams still miss

TL;DR: Ungoverned credentials, fragmented workflows, and late-stage remediation leave NHI risk baked in before teams can react, according to Oasis Security, whose NHI provisioning capability creates and governs non-human identities from the start, with policy enforcement, ownership assignment, vaulting, rotation, and deprovisioning set during request approval and applied through the lifecycle.

NHIMG editorial — what this means for NHI practitioners

By the numbers:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps - 38% have no or low visibility, and a further 47% have only partial visibility.

Questions worth separating out

Q: What breaks when NHI provisioning happens without ownership and policy at creation time?

A: The identity enters production already outside governance.

Q: Why do NHI provisioning mistakes create long-term security risk?

A: Because provisioning decisions define the identity's trust boundary before anyone has a chance to review behaviour.

Q: How do security teams know whether NHI provisioning is actually governed?

A: Look for three signals: every identity has an owner, every secret lands in an approved storage path, and every new object appears immediately in inventory and lifecycle workflows.

Practitioner guidance

• Move ownership assignment into the provisioning request Require every new NHI to have an owner or owner group before issuance, and block creation if that metadata is missing.
• Make vault destination a provisioning control Force the requester to select the approved vault or federated pattern during creation, and reject identities that would place secrets in unmanaged locations.
• Separate credential-based and federated identity decisions Choose federated identity where the use case allows it, and reserve credential-based identities for cases that truly need secrets.

What's in the full announcement

Oasis Security's full blog post covers the operational detail this post intentionally leaves for the source:

• The request-to-approval workflow across Terraform, ServiceNow, API triggers, and the Oasis UI for provisioning NHIs.
• The step-by-step identity generation flow for Azure service principals and how the platform tags created identities.
• The secret generation and vaulting path, including how the Oasis Outpost keeps sensitive operations inside the customer perimeter.
• The notification and lifecycle events that follow provisioning, including ownership assignment, success alerts, and error handling.

👉 Read Oasis Security's blog on NHI provisioning from day one →

Oasis NHI provisioning and the governance gap teams still miss?

Explore further

View Full Forum →  |  NHI Foundation Course →