Organisations should separate directory convenience from governance control. Use the directory for authentication or identity lookup where appropriate, but keep lifecycle review, privileged access oversight, and offboarding processes explicit. The goal is to avoid treating a directory as a complete access governance system when it is only one part of the identity stack.
Why This Matters for Security Teams
Directory-based access is convenient, but convenience is not governance. When teams let the directory become the source of truth for every access decision, they often miss the separate controls needed for privileged access, lifecycle review, and revocation. That gap is especially dangerous for service accounts, API keys, and other NHI assets that do not follow human joiner-mover-leaver patterns. The OWASP Non-Human Identity Top 10 treats these failures as a recurring security issue, not an edge case.
NHI Management Group research shows the scale of the problem: NHIs outnumber human identities by 25x to 50x in modern enterprises, while only 20% have formal processes for offboarding and revoking API keys. That is why directory-only thinking breaks down so quickly. The directory may authenticate a principal, but it does not automatically prove that the principal still needs access, that the privilege is appropriate, or that the credential will be removed on time. In practice, many security teams discover this only after a stale account, leaked token, or over-permissioned service has already been used in an incident.
How It Works in Practice
Keeping directory-based access under control means separating identity lookup from access governance. The directory can remain the system of record for attributes such as group membership, application binding, or account status, but the control plane for access should include explicit review, approval, and revocation workflows. Current guidance from the NIST Cybersecurity Framework and Zero Trust thinking is that access should be continuously validated, not assumed because an identity exists in a directory.
In operational terms, teams usually need four layers:
- Authentication: verify the user, workload, or service account.
- Authorisation: decide what that identity can do at the moment of request.
- Lifecycle control: review, approve, or remove access on a defined schedule.
- Privileged oversight: monitor elevated access separately from routine directory membership.
For NHIs, the directory should not be the place where long-lived secrets quietly accumulate. Better practice is to pair directory records with short-lived credentials, explicit ownership, and automated offboarding. NHI Management Group’s Ultimate Guide to NHIs highlights why this matters: 79% of organisations have experienced secrets leaks, and 91.6% of secrets remain valid five days after notification. That means identity hygiene and revocation speed matter as much as initial provisioning. Teams should also treat privileged directory groups as control points, not as proof of need. If a group grants broad application or infrastructure access, it needs separate recertification and logging, ideally aligned with policy-as-code and strong offboarding rules. These controls tend to break down in hybrid environments where the directory is shared across SaaS, on-premises systems, and CI/CD pipelines because ownership and revocation paths become inconsistent.
Common Variations and Edge Cases
Tighter directory control often increases operational overhead, requiring organisations to balance speed of provisioning against auditability and revocation certainty. That tradeoff becomes obvious when a directory supports both humans and NHIs, or when the same group membership is used for authentication, privilege elevation, and application routing. Best practice is evolving, but current guidance suggests avoiding a single directory group as the sole access decision for anything sensitive.
One common edge case is service accounts that need stable names but should not have stable credentials. Another is delegated administration, where a local team can create directory entries but cannot approve privileged use. A third is third-party access, where the directory may show the account as active even after the vendor relationship has ended. NHIMG research shows 92% of organisations expose NHIs to third parties, which makes directory drift a supply chain issue as well as an internal control issue. For that reason, organisations should pair directory records with explicit ownership, expiry dates, and review triggers, then verify that offboarding actually removes access rather than just disabling a visible account. The Key Challenges and Risks section in the Ultimate Guide to NHIs is a useful reference point for those failure modes. Where the directory is also the synchronisation source for downstream systems, revocation delays can persist long after the local change is made, so control design must include propagation checks, not just directory updates.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Directory control fails when NHI credentials are not rotated or revoked. |
| NIST CSF 2.0 | PR.AC-4 | Access control needs continuous review beyond directory membership alone. |
| NIST AI RMF | GOVERN | Governance is needed so identity records do not substitute for access accountability. |
Use PR.AC-4 to separate authentication from access approval and recertify entitlements regularly.
Related resources from NHI Mgmt Group
- How should organisations control access to ePHI under HIPAA?
- When should organisations replace per-instance MySQL administration with centralised access control?
- How should organisations govern access to personal data under Quebec Law 25?
- How should healthcare organisations reduce HIPAA violations tied to access control?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
