Notifications
Clear all
Topic starter
08/06/2026 4:30 pm
TL;DR: Corporate IT has the strongest security foundation in the enterprise, but service accounts, SSH keys, legacy application credentials, and certificates still accumulate risk through reuse, hardcoding, and weak lifecycle control, according to Clutch Security. The operating model is mature, but the NHI governance gap remains in the places where old infrastructure meets modern identity expectations.
NHIMG editorial — based on content published by Clutch Security: The Corporate IT Domain, Its Mature Security Foundation and Hidden Risks
Questions worth separating out
Q: What breaks when corporate IT machine identities are not lifecycle-managed?
A: What breaks is the assumption that mature infrastructure controls automatically govern non-human access.
Q: Why do service accounts in corporate IT still create lateral movement risk?
A: Service accounts create lateral movement risk when one credential is reused across systems, retains stale permissions, or remains embedded in legacy tooling.
Q: How do security teams know whether machine identity governance is working?
A: They know it is working when every non-human credential has a named owner, a visible system scope, and a documented retirement path.
Practitioner guidance
- Inventory machine identities across corporate IT Build a register of service accounts, SSH keys, certificates, and device credentials with owners, system scope, and business justification.
- Link lifecycle events to credential cleanup Connect application decommissioning, ownership change, and migration workflows to secret rotation and account retirement.
- Extend access reviews to machine accounts Add service accounts and infrastructure credentials to periodic certification, with reviewers checking actual system use, privilege scope, and last activity rather than only formal ownership.
What's in the full article
Clutch Security's full paper covers the operational detail this post intentionally leaves for the source:
- The domain-by-domain framework for extending existing PAM, IAM, and SIEM tooling into machine identity coverage.
- The strategic recommendations for lifecycle management across service accounts, certificates, and legacy application identities.
- The business impact discussion on reduced manual access work, improved compliance posture, and incident-response visibility.
- The next part of the eight-part series and how corporate IT fits into the wider enterprise NHI attack surface.
👉 Read Clutch Security's analysis of corporate IT machine identity risk →
Corporate IT machine identities: what mature IAM still misses?
Explore further
08/06/2026 6:10 pm
Corporate IT maturity is not the same as machine identity maturity. Decades of investment in AD, PAM, logging, and RBAC give corporate IT a stronger baseline than most domains, but those controls were built first for human access and later adapted to machine identities. The result is a domain that looks governed while still allowing service accounts, device credentials, and embedded secrets to drift outside formal oversight. Practitioners should read maturity as a starting point, not a finished state.
A few things that frame the scale:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
- Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities, which shows that confidence and control maturity are still far apart.
A question worth separating out:
Q: Should organisations treat legacy systems differently from modern workloads?
A: Yes. Legacy systems often cannot enforce the same lifecycle, logging, and revocation workflows as modern workloads, so they need separate attention and tighter compensating controls. If they are left inside the general IAM process without adjustment, they become a shadow zone where credentials persist long after their business purpose has changed.
👉 Read our full editorial: Corporate IT NHI governance: mature controls with hidden identity risk
