Assign ownership for discovery, entitlement review, and offboarding across sanctioned and unsanctioned applications, then measure coverage continuously. The goal is to manage the full identity footprint, including shadow SaaS, shadow AI, and orphaned access, rather than treating each discovery as an isolated cleanup exercise.
Why This Matters for Security Teams
identity attack surface becomes a programme issue when the organisation recognises that access sprawl is not limited to user accounts. Shadow SaaS, unmanaged service accounts, API keys, and AI agent identities all expand the blast radius unless they are discovered, reviewed, and retired continuously. NIST Cybersecurity Framework 2.0 frames this as an ongoing governance problem, not a one-time cleanup, and the same logic applies to non-human identity inventory management.
NHI programmes fail when discovery is treated as a project with a finish line. The more useful pattern is to tie ownership to lifecycle controls, evidence, and accountability across business units, because orphaned access often reappears after the initial remediation wave. NHIMG’s Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs is useful here, as is the NIST Cybersecurity Framework 2.0 for building repeatable governance rather than ad hoc cleanup.
In practice, many security teams encounter the real failure mode only after an audit, a breach review, or an access dispute has already exposed how much of the identity footprint was never under continuous control.
How It Works in Practice
Governance at programme scale starts with a single operating model for identity discovery, entitlement review, and offboarding across both sanctioned and unsanctioned applications. That means defining who owns inventory quality, who approves exceptions, who validates business justification, and who closes the loop when access is no longer needed. For non-human identity and AI agent coverage, the scope should include secrets, service principals, workload identities, API tokens, and delegated access paths that do not appear in ordinary employee IAM reports.
The practical mechanism is continuous measurement. Security teams should track coverage across three dimensions: what identities exist, what they can access, and whether they are still needed. That is where programme discipline matters more than tooling alone. NHIMG’s 52 NHI Breaches Analysis shows how identity gaps recur across environments, while the Top 10 NHI Issues highlights common lifecycle failures that keep resurfacing.
A mature programme usually includes:
- Authoritative inventory sources for SaaS, cloud, code, and AI platforms
- Risk-tiered entitlement reviews based on privilege and business criticality
- Automated offboarding triggers tied to app ownership and lifecycle events
- Exception management with expiry dates and documented risk acceptance
- Metrics for coverage, stale access, orphaned identities, and review completion
For agents and other autonomous workloads, the control objective is broader than access review. Their identity must be traceable to a workload, a purpose, and a bounded runtime posture, especially when those agents can chain tools or act outside a human approval loop. Current guidance suggests pairing identity inventory with runtime policy checks and secret hygiene, because static access lists alone do not capture agent behaviour. These controls tend to break down when application ownership is unclear across merged business units because no one can reliably prove which identities should still exist.
Common Variations and Edge Cases
Tighter identity governance often increases operational overhead, requiring organisations to balance better visibility against review fatigue and business disruption. That tradeoff is why best practice is evolving toward risk-based segmentation rather than treating every identity the same.
One common edge case is shadow AI and temporary project tooling. These environments generate identities faster than standard joiner-mover-leaver workflows can absorb, so programme leaders need shorter review cycles and explicit expiry controls. Another is inherited access after mergers or platform migrations, where ownership is fragmented and cleanup can stall indefinitely. In those cases, the question is not whether a user or workload has access, but who can attest to its legitimacy today.
NHIMG’s Ultimate Guide to NHIs — What are Non-Human Identities helps distinguish workload identities from human accounts, and the Anthropic report on the first AI-orchestrated cyber espionage campaign shows why autonomous systems cannot be governed as if their access patterns were static. There is no universal standard for this yet, so mature organisations treat continuous identity coverage as an operating discipline, not a periodic project deliverable.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OV-01 | Ongoing oversight is the core requirement for identity surface governance. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Identity discovery and lifecycle control are central NHI attack-surface issues. |
| NIST AI RMF | AI RMF addresses governance for autonomous systems that expand identity risk. |
Put accountability, monitoring, and lifecycle controls around AI identities and agent access.
Related resources from NHI Mgmt Group
- What is the difference between attack surface management and NHI governance?
- How should organisations govern SaaS renewals in a mature identity programme?
- How should organisations govern human, NHI, and AI agent access in one programme?
- Why do organisations struggle when CIAM is treated as a one-off project?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 5, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org