Notifications
Clear all
Topic starter
07/06/2026 8:15 pm
TL;DR: Many security teams rush to provisioning, rotation, and deprovisioning, but Clutch Security argues the real sequence is visibility, risk prioritization, ownership, then lifecycle management, because skipping earlier phases leaves large portions of the NHI estate unmanaged. That is why traditional JML assumptions break down when identities are created outside HR and persist without a natural leaver event.
NHIMG editorial — based on content published by Clutch Security: No One's Coming to Deprovision That Service Account
By the numbers:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps.
Questions worth separating out
Q: What breaks when teams try to deprovision NHIs before discovery is complete?
A: Deprovisioning becomes partial and misleading when the inventory is incomplete.
Q: Why do service accounts and API keys complicate joiner-mover-leaver processes?
A: They are not created, changed, or retired by HR events, so the normal employee lifecycle does not signal when access should begin or end.
Q: How do organisations know whether NHI lifecycle management is actually working?
A: The strongest signal is not ticket volume but coverage: how much of the discovered NHI estate has a named owner, a risk rank, and a defined retirement path.
Practitioner guidance
- Build discovery across every identity creation path Inventory service accounts, API keys, certificates, and workload identities across cloud consoles, CI/CD pipelines, SaaS admin tools, and secret managers before attempting lifecycle automation.
- Rank NHIs by privilege, exposure, and staleness Separate low-risk credentials from production-critical identities so review, rotation, and deprovisioning effort lands where compromise would create the largest blast radius.
- Assign accountable owners to every identity Trace each NHI from credential to workload to application to team, then require a named human owner who can approve removal or attest continued need.
What's in the full article
Clutch Security's full blog post covers the operational detail this post intentionally leaves for the source:
- How the four-phase maturity sequence is applied across Fortune 500 NHI estates in practice.
- The specific discovery sources that tend to expose hidden service accounts and orphaned credentials.
- Why ownership assignment is the point where lifecycle programmes commonly stall.
- The article's detailed argument for why traditional JML logic breaks when identities are machine-created.
👉 Read Clutch Security's analysis of NHI lifecycle management and ownership →
NHI lifecycle management: why discovery comes before deprovisioning?
Explore further
07/06/2026 10:05 pm
Lifecycle automation without discovery is control theatre. Organisations that automate provisioning and deprovisioning before they have a complete inventory are governing a documented slice of the estate, not the estate itself. The real failure is not poor orchestration, it is the assumption that known identities are representative. Practitioners should treat inventory completeness as the prerequisite control, not an administrative task.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which shows how quickly NHI governance breaks down when discovery is incomplete.
A question worth separating out:
Q: What should IAM teams do when NHIs have no clear owner?
A: Treat ownership gaps as a blocking issue, not a cleanup task. Start by tracing each identity to the workload it serves, then to the application and team responsible for it. If no accountable human can be assigned, the identity should be treated as unmanaged risk until the business proves why it still exists.
👉 Read our full editorial: NHI lifecycle management fails without visibility and ownership first
