Notifications
Clear all
Topic starter
06/06/2026 2:02 am
TL;DR: Identity teams can inventory non-human identities and AI agents, yet still stall on remediation because posture tools rarely supply the operational evidence needed to act safely, according to Oasis Security. The real blocker is not discovery but confidence: without dependency, ownership, and blast-radius context, findings do not become enforceable decisions.
NHIMG editorial — based on content published by Oasis Security: The Posture Trap: Why Identity Findings Don't Turn Into Fixes
Questions worth separating out
Q: How should security teams decide whether an NHI is safe to remediate?
A: Security teams should require evidence, not intuition.
Q: Why do identity posture findings so often fail to become fixes?
A: They fail because a posture finding usually says what exists, not what will break if it changes.
Q: What is the difference between identity discovery and lifecycle management?
A: Discovery tells you which identities and permissions exist.
Practitioner guidance
- Build a policy-to-behaviour baseline Select a small set of production policies such as ownership, rotation, least privilege, and vendor access boundaries, then compare them against observed identity behaviour.
- Map dependencies before remediation Require workload mapping, ownership evidence, and blast-radius assessment before rotating, revoking, or decommissioning any non-human identity.
- Start with one lifecycle action Choose decommissioning as the first repeatable enforcement workflow because it exposes missing context quickly and reduces attack surface when done well.
What's in the full article
Oasis Security's full blog covers the operational detail this post intentionally leaves for the source:
- A practical breakdown of policy intelligence workflows for moving from detection to enforcement.
- Examples of how blast-radius context changes whether an NHI should be rotated, right-sized, or decommissioned.
- The article's own distinctions between stale, orphaned, and business-critical identities in production environments.
- The specific confidence-threshold approach the vendor uses when deciding whether to enforce lifecycle actions.
👉 Read Oasis Security's analysis of the posture trap in NHI governance →
NHI posture trap: what is blocking fixes in identity programs?
Explore further
06/06/2026 3:28 am
Policy intelligence is the missing layer between discovery and enforcement. Posture can identify identities, permissions, and apparent risk, but it cannot by itself answer whether a change is safe. That is why identity findings often stall at review rather than becoming action. Policy intelligence closes that gap by combining stated policy, observed behaviour, ownership, and dependency signals. Practitioners should treat that layer as operational evidence, not reporting.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which explains why enforcement decisions so often lack reliable operational context.
A question worth separating out:
Q: How can organisations reduce NHI risk without breaking production?
A: Start by enforcing one well-defined lifecycle action against a narrow set of identities, then expand only when the evidence is strong. Decommissioning is a useful starting point because it forces teams to prove ownership, usage, and dependency before removal. The objective is not speed. It is repeatable, defensible change.
👉 Read our full editorial: The posture trap in NHI governance: why findings do not fix risk
