NHI ownership discovery: what IAM teams need to fix now

TL;DR: NHI ownership remains hard to assign because data is fragmented across CMDBs, identity providers, logs, and manual tagging workflows, according to Oasis Security. That gap matters because accountability, remediation, and attestation all depend on knowing who owns each non-human identity before controls can be enforced.

NHIMG editorial — based on content published by Oasis Security: Solving Non Human Identity Ownership with Oasis Part 1

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps - 38% have no or low visibility, and a further 47% have only partial visibility.

Questions worth separating out

Q: How should security teams assign ownership to non-human identities?

A: Start with a governed ownership record for every non-human identity, then validate it against CMDB, identity provider, log, and application evidence.

Q: Why does fragmented NHI ownership create security risk?

A: Because fragmented ownership breaks accountability.

Q: What do teams get wrong about AI-assisted NHI ownership discovery?

A: They sometimes treat recommendations as final answers.

Practitioner guidance

• Create one authoritative ownership record for each NHI Tie every service account, API key, token, and certificate to a governed owner field that is sourced from one approved system of record and reconciled against CMDB, identity provider, and log evidence.
• Require attestation before ownership changes are accepted Use a review workflow that forces business validation of AI-generated ownership recommendations before they update the authoritative record, especially for inherited or legacy identities.
• Link NHI ownership to joiner-mover-leaver events Update owner assignments whenever the accountable human changes role, leaves a team, or transfers service responsibility, so the governance record does not outlive the operating model.

What's in the full article

Oasis Security's full blog covers the operational detail this post intentionally leaves for the source:

• How the Ownership Discovery Engine correlates IdPs, logs, CMDBs, and unstructured text fields to generate owner recommendations
• Examples of automatic classification, free-text analysis, and similarity scoring used to enrich NHI records
• How ownership attestation is meant to support certification campaigns and review workflows
• The vendor's explanation of how ownership links to remediation and business continuity decisions

👉 Read Oasis Security's blog on solving NHI ownership assignment and attestation →

NHI ownership discovery: what IAM teams need to fix now?

Explore further

View Full Forum →  |  NHI Foundation Course →