Subscribe to the Non-Human & AI Identity Journal
Home FAQ NHI Lifecycle Management How should organisations govern SIM and eSIM lifecycles…
NHI Lifecycle Management

How should organisations govern SIM and eSIM lifecycles in large IoT fleets?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 14, 2026 Domain: NHI Lifecycle Management

Organisations should treat SIM and eSIM handling as a lifecycle control problem, not just an inventory task. Define who approves issuance, who can modify profiles, how replacements are recorded, and when retired devices are fully revoked. Without that, device identity drift creates hidden access and support risk across the fleet.

Why This Matters for Security Teams

SIM and eSIM governance is an identity problem because the mobile subscription is what keeps a device reachable, trusted, and billable across its operational life. In large IoT fleets, the risk is not just lost hardware, but profile drift, duplicated activations, stale replacements, and retired devices that still retain network access. That makes SIM lifecycle control part of access management, not just asset tracking.

This is where teams often underestimate the blast radius. A device may be decommissioned locally while the subscription, profile, or carrier relationship remains active elsewhere. The result is silent residual access that can survive ownership changes and field replacements. NHI Management Group’s NHI Lifecycle Management Guide and Ultimate Guide to NHIs both reinforce that lifecycle state, not simply inventory presence, determines whether identity remains usable.

Current guidance suggests treating SIMs and eSIMs as governed credentials with approvals, change records, and retirement controls aligned to NIST Cybersecurity Framework 2.0 and the OWASP Non-Human Identity Top 10. In practice, many security teams encounter abuse only after a field swap, carrier dispute, or device recall has already left an old profile active in production.

How It Works in Practice

Effective SIM and eSIM governance starts by separating three control points: issuance, modification, and revocation. Issuance should require a defined owner, asset binding, and an approval trail. Profile changes, especially for eSIM, should be restricted to a small set of operators and logged with the device ID, subscription ID, and reason for change. Revocation must occur when the device is retired, reassigned, or replaced, and it should be confirmed at the carrier or orchestration layer, not just in a spreadsheet.

For large fleets, the operational model usually needs a source of truth that links device identity to subscription identity and lifecycle state. That means the inventory record should show whether a SIM is active, suspended, transferred, or destroyed, and whether the device has been reimaged, redeployed, or scrapped. The most reliable programmes also use periodic reconciliation between the device management platform, carrier portal, and procurement records. NHI Mgmt Group’s Top 10 NHI Issues and Guide to the Secret Sprawl Challenge are useful references for understanding why unmanaged lifecycle state creates hidden access paths.

Operationally, teams should also define who can order spare SIMs, who can trigger eSIM re-provisioning, and how exceptions are handled when devices are offline. Short-lived, task-specific access is preferable to permanent admin rights, and change approvals should be tied to maintenance windows or incident response events. Where supported, policy checks at request time should block profile changes unless the device is in an approved state and the request matches a documented workflow. These controls tend to break down when fleets span multiple carriers and regional integrators because revocation and reassignment records become fragmented across systems.

Common Variations and Edge Cases

Tighter SIM and eSIM control often increases operational overhead, requiring organisations to balance speed of replacement against auditability and revocation certainty. That tradeoff is especially visible in high-uptime IoT environments, where devices cannot be taken offline for long and field technicians may need emergency swaps.

There is no universal standard for this yet, but current guidance suggests different handling for different fleet classes. Fixed industrial devices can usually tolerate stricter approval gates and slower reassignment, while mobile or consumer-facing devices may need automated profile issuance with compensating controls. eSIM adds flexibility, but it also raises the risk of remote abuse if profile lifecycle events are not tightly governed.

One common edge case is third-party managed fleet infrastructure. When a logistics provider, installer, or telecom partner performs provisioning, organisations still need ownership of the policy, the audit record, and the retirement workflow. Another is device resale or return processing, where subscriptions must be fully severed before the asset leaves control. For broader lifecycle and audit expectations, the Ultimate Guide to NHIs — Regulatory and Audit Perspectives is a practical baseline, alongside NIST SP 800-53 Rev 5 Security and Privacy Controls for formal control mapping.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0, NIST AI RMF and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03SIM lifecycle drift behaves like unmanaged NHI credential rotation and revocation gaps.
NIST CSF 2.0PR.AC-4Subscription access must be restricted and continuously reviewed like any other identity.
NIST AI RMFFleet automation and provisioning need governance, traceability, and accountability.
CSA MAESTROAC-1Agentic orchestration patterns map to controlled provisioning and revocation workflows.
NIST Zero Trust (SP 800-207)PL, PDP/PEPZero Trust requires runtime checks before devices or profiles retain network reachability.

Track SIM and eSIM issuance, rotation, and retirement as governed NHI lifecycle events.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org