They should govern them as a shared lifecycle problem, not just an authentication choice. That means defining who issues the credential, who can recover it, who can revoke it, and which organisation owns the audit trail. In multi-party environments, the trust boundary must be explicit before access is granted, especially when smart cards, PKI, and FIDO2 keys are administered across organisations.
Why This Matters for Security Teams
Phishing-resistant credentials only reduce one attack path. They do not solve the governance problem that appears when multiple organisations issue, store, recover, and revoke the same access factor. In defence environments, a smart card, PKI certificate, or FIDO2 key can cross sovereign, contractor, and coalition boundaries, so the real risk is ambiguity about ownership rather than weak authentication alone. The OWASP Non-Human Identity Top 10 and NIST Cybersecurity Framework 2.0 both reinforce that identity controls only work when lifecycle responsibilities are explicit and auditable.
That matters because shared credentials can become shared failure domains. If one supplier can recover a lost device, another can revoke it, and a third owns logging, no single party can prove who changed access and when. NHIMG research on the Guide to the Secret Sprawl Challenge shows that fragmented control often creates operational blind spots long before an incident is visible. In practice, many defence teams discover this only after a contractor departure, compromised token, or coalition exercise has already exposed the governance gap.
How It Works in Practice
Defence teams should treat phishing-resistant credentials as a joint lifecycle service with named owners, not as a one-time enrollment event. That starts with a written trust boundary that defines who issues the credential, which organisation approves enrollment, who can recover a lost factor, and who can revoke it immediately if the user, device, or mission context changes. The NIST SP 800-63 Digital Identity Guidelines provide useful identity assurance principles, while NIST SP 800-53 Rev 5 Security and Privacy Controls helps map those responsibilities to access control, audit, and incident response.
A practical operating model usually includes:
- Single source of truth for identity proofing and issuance, even if the credential is used across partners.
- Separate recovery authority from issuance authority so one supplier cannot silently reset another supplier’s access.
- Immediate revocation workflow that reaches all relying parties, not just the home organisation.
- Shared audit requirements that preserve who approved, who used, and who revoked the credential.
- Minimum necessary cross-domain trust, with periodic recertification instead of indefinite federation.
Where coalitions rely on PKI, certificate policy and revocation propagation become operational controls, not just cryptographic details. Where FIDO2 is used, the key still needs lifecycle governance across devices, accounts, and relying parties. NHIMG’s Top 10 NHI Issues is a useful reminder that weak ownership, not weak cryptography, is often the root cause. These controls tend to break down when allied organisations use different identity proofing standards and no common revocation process exists because access changes cannot propagate fast enough.
Common Variations and Edge Cases
Tighter credential governance often increases onboarding friction, so defence organisations have to balance assurance against mission speed. That tradeoff becomes sharper in exercises, surge operations, and rotating contractor support, where a fully centralised approval model can delay access while a fully local model can fragment accountability.
Current guidance suggests three common exceptions need special handling. First, coalition operations may require temporary cross-domain trust with short-lived access rather than permanent federation. Second, break-glass access should be reserved for emergencies and fully logged, because emergency convenience can become standing privilege if not reviewed. Third, device-bound phishing-resistant factors are still vulnerable to administrative bypass if recovery desks, help desks, or identity proofing teams have overly broad authority.
There is no universal standard for this yet, especially across defence alliances with different sovereign policies. Best practice is evolving toward explicit federation agreements, strong audit sharing, and routine lifecycle reviews that test issuance, recovery, and revocation together. NHIMG’s Ultimate Guide to NHIs is helpful on the broader static versus dynamic access model, but the key lesson here is governance: if no party owns the entire credential journey, phishing resistance can still fail operationally.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Shared credential lifecycle and ownership are core NHI governance concerns. |
| NIST CSF 2.0 | PR.AC-1 | Federated access needs explicit identity and access governance across organisations. |
| NIST SP 800-63 | IAL2 | Credential issuance depends on identity proofing strength and assurance alignment. |
| NIST Zero Trust (SP 800-207) | AC-4 | Zero Trust requires explicit authorization decisions at each access boundary. |
| CSA MAESTRO | IAM-4 | Agentic and federated identity lifecycles need clear ownership and policy enforcement. |
Assign one accountable owner for issuance, recovery, revocation, and audit across all relying parties.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org