Notifications
Clear all
Topic starter
06/06/2026 1:55 am
TL;DR: A private credit firm secured its Azure AD non-human identities by combining auto-discovery, risk posture analysis, stale account disablement, and credential rotation, according to Oasis Security. The lesson is that NHI governance fails when inventory, entitlement review, and rotation are treated as separate projects instead of one control loop.
NHIMG editorial — based on content published by Oasis Security: How a Financial Service Institution Secures Azure NHIs with Oasis Security
Questions worth separating out
Q: How should security teams govern Azure non-human identities at scale?
A: Start with discovery, then add ownership, privilege review, and lifecycle state.
Q: Why do stale service identities increase risk in cloud environments?
A: Stale identities extend the life of access beyond the business purpose that created it.
Q: What breaks when NHI rotation is not tied to usage evidence?
A: Rotation without usage evidence can either miss risky identities or break legitimate integrations.
Practitioner guidance
- Inventory Azure NHIs before enforcing policy Map service principals, application registrations, tokens, and other non-human identities to a current owner and usage state.
- Prioritise stale account removal by operational dependency Disable inactive identities only after confirming whether they still support scheduled jobs, integrations, or exception-driven workflows.
- Tie credential rotation to lifecycle state Rotate credentials only when the identity is tracked, owned, and still required.
What's in the full article
Oasis Security's full blog post covers the operational detail this post intentionally leaves for the source:
- A four-stage implementation sequence from deployment to ongoing management for Azure AD NHIs
- The specific discovery outputs used to map identity volume, usage patterns, access points, and associated risks
- Examples of the stale account cleanup and rotation changes applied during remediation
- How the firm aligned its NHI controls with operational and regulatory requirements
👉 Read Oasis Security's case study on securing Azure NHIs in financial services →
Azure NHIs in financial services: what visibility and rotation change?
Explore further
06/06/2026 3:18 am
Azure NHI governance fails first as a visibility problem, not a rotation problem. The private credit firm did not start with a broken control so much as with an incomplete picture of what existed in Azure AD. That matters because lifecycle controls cannot be applied to identities that are not discovered. In NHI terms, inventory precedes entitlement hygiene, and entitlement hygiene precedes safe automation. Practitioners should treat undiscovered NHIs as ungoverned by definition.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
A question worth separating out:
Q: What should compliance teams ask about Azure NHI governance during review?
A: They should ask who owns each identity, how stale accounts are detected, how rotation is triggered, and what evidence proves the lifecycle is controlled. For financial services, the key question is whether the organisation can explain identity state clearly enough to support audit, incident response, and change control.
👉 Read our full editorial: Azure NHI governance in financial services: visibility, rotation, control
