How should security teams build an authoritative inventory of non-human identities?

Why This Matters for Security Teams

An authoritative NHI inventory is the difference between knowing an environment and merely cataloging it. Security teams cannot govern what they cannot see, and NHIs often hide in cloud roles, SaaS integrations, CI/CD runners, secrets stores, and AI platforms with no single owner or lifecycle record. NHI Management Group has shown that only 5.7% of organisations have full visibility into service accounts in the Ultimate Guide to NHIs, which makes inventory quality a direct security control, not an administrative task.

The practical risk is that incomplete records delay access reviews, slow incident response, and leave orphaned credentials active long after a system changes hands. The issue is not just quantity but context: a token, key, or service account without ownership, last-use data, and environment attribution cannot be safely evaluated for privilege or exposure. That is why current guidance aligns with identity-focused inventory discipline in the NIST Cybersecurity Framework 2.0, even though NHI-specific implementation is still maturing. In practice, many security teams encounter exposed NHIs only after a secrets leak or access incident has already forced discovery.

How It Works in Practice

Build the inventory as an operational system of record, not a spreadsheet. Start by pulling identities from every place NHIs originate or gain authority: cloud IAM, SaaS app registries, identity providers, CI/CD platforms, workload schedulers, secrets managers, and AI or agent orchestration layers. Each record should capture a minimum set of fields: unique identifier, identity type, owner, business purpose, environment, permissions, creation time, last-used time, credential or token type, rotation status, and decommission state.

Discovery should be automated and repeated. Static point-in-time scans miss ephemeral identities, temporary API keys, and hidden OAuth grants. Use connectors and log-based correlation to reconcile identity sources, then normalise them into one authority record. Where possible, tie NHIs to workload identity rather than just stored secrets. That means aligning service accounts, pods, pipelines, and agents to cryptographic identity assertions and runtime evidence, not just a name in a vault. This is especially important for service accounts and developer tooling exposures like the JetBrains GitHub plugin token exposure, where the inventory must show where the secret lived, who could use it, and whether it was still valid.

A practical inventory workflow usually includes:

• Source discovery from cloud, SaaS, CI/CD, and workload platforms.
• Ownership assignment with named operational and business owners.
• Privilege mapping that links each NHI to roles, scopes, and entitlements.
• Last-use and activity enrichment from logs, API audit trails, and secret access events.
• Lifecycle status so teams can identify dormant, orphaned, and unrotated identities.
• Risk tagging for internet exposure, third-party access, and production reach.

This approach also supports response. If a token is compromised, the inventory should tell analysts where else it authenticates, what it can touch, and which dependencies may break if it is revoked. That is why inventory data must be designed for access review and containment, not just reporting. These controls tend to break down when organisations cannot correlate identities across tenant boundaries because duplicate naming, shared pipelines, and unmanaged third-party integrations obscure the true source of authority.

Common Variations and Edge Cases

Tighter inventory accuracy often increases operational overhead, requiring organisations to balance visibility against integration complexity. That tradeoff becomes visible in hybrid estates, where legacy systems, unmanaged scripts, and vendor-managed integrations do not expose clean identity metadata. Best practice is evolving, but there is no universal standard for how to inventory every NHI type yet, so teams should define a minimum authoritative dataset and expand it iteratively.

One common edge case is ephemeral infrastructure. Short-lived containers, serverless functions, and agentic workloads can create identities that never appear in a human-managed register unless log enrichment is automated. Another edge case is third-party OAuth access, where a single consent grant may represent multiple underlying permissions and data paths. The inventory should show both the application identity and the delegated scopes, not just the app name. For control design, the most useful inventories also distinguish between active, dormant, and unknown identities, because unknown state is itself a risk category.

NHIMG’s research indicates the scale of the problem is already operational, not theoretical: only 1.5 out of 10 organisations are highly confident in securing NHIs in The State of Non-Human Identity Security. That confidence gap is a warning that inventory completeness, not just tooling, remains the weak link. Where AI agents are involved, inventory should additionally record execution authority and tool access, because agent identities may change behaviour faster than traditional review cycles can keep up.

Related resources from NHI Mgmt Group

• How should security teams build an authoritative inventory for non-human identities?
• How should security teams govern non-human identities at scale?
• How should security teams govern non-human identities for compliance?
• How should security teams govern non-human identities in Salesforce?