TL;DR: Evidence-based assurance depends on repeatable control performance over time, as PassBolt completed a SOC 2 Type II audit after about 120 tests across policies, infrastructure, logical access, backup, disaster recovery, and incident response controls. Annual attestation is only meaningful when identity, access, and operational controls are consistently governed, not just documented.
NHIMG editorial — based on content published by Passbolt: Security and compliance roundup
Questions worth separating out
Q: How should security teams prepare for SOC 2 Type II when NHI controls are in scope?
A: They should treat non-human identities as part of the same control environment as human access, not as a separate exception bucket.
Q: Why do service accounts and tokens create audit risk in compliance programmes?
A: Because they often outlive the business justification that created them.
Q: What do security teams get wrong about annual audits and identity governance?
A: They assume a successful annual review proves the programme is healthy.
Practitioner guidance
- Map audit evidence to identity control owners Link each logical access, change management, and incident response control to a named owner and a reusable evidence source so auditors can trace it without manual reconstruction.
- Track non-human identities in the same evidence model Include service accounts, API keys, tokens, and certificates in access reviews, approval logs, and change records so machine identities do not sit outside the audit trail.
- Test control consistency across the credential lifecycle Verify that provisioning, rotation, recertification, and offboarding all produce durable evidence in the systems of record rather than in ad hoc spreadsheets or email.
What's in the full article
Passbolt's full roundup covers the operational detail this post intentionally leaves for the source:
- The specific audit areas reviewed across policies, procedures, and infrastructure controls.
- The breakdown of six separate security audits and what each one covered in the passbolt ecosystem.
- The practical context behind the SOC 2 Type II report request process for customers.
- The additional certifications and labels Passbolt says it is pursuing next.
👉 Read Passbolt’s security and compliance roundup on SOC 2 Type II and audits →
SOC 2 Type II audits and NHI controls: what IAM teams should note?
Explore further
SOC 2 Type II is really a lifecycle test for identity control, not a paperwork exercise. The article shows that Passbolt is measuring repeatable performance across access, change, and recovery controls, which is exactly where identity programmes often drift from policy into exception handling. For IAM and NHI teams, the meaningful question is whether the same control can survive repeated testing over time. Practitioners should treat Type II as a discipline check on governance consistency.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- A separate finding shows that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which is a direct governance blind spot for delegated access.
A question worth separating out:
Q: Which frameworks help align identity controls with compliance evidence?
A: NIST Cybersecurity Framework 2.0 is a useful starting point because it links governance, protection, detection, response, and recovery into one operational model. For identity teams, the key is to map access control, logging, and recovery evidence to the same framework so audit preparation and security operations reinforce each other.
👉 Read our full editorial: Passbolt’s SOC 2 Type II audit shows why NHI controls matter