They should treat discovery as the prerequisite control. If the organisation cannot reliably see SaaS, shadow IT, service accounts, and AI-linked access paths, certification and role modelling will only cover a partial reality. Governance should start with coverage metrics, then use telemetry to decide what should be reviewed, removed, or formally owned.
Why This Matters for Security Teams
When identity inventories are incomplete, access governance becomes a partial-control exercise: reviews may look disciplined while large parts of the environment remain unseen. That gap matters because SaaS sprawl, shadow IT, service accounts, and AI-linked access paths often sit outside the systems used for recertification. The practical risk is not just excess privilege, but false confidence in the completeness of the inventory itself.
NHI Management Group’s Ultimate Guide to NHIs notes that only 5.7% of organisations have full visibility into their service accounts, which is why governance must begin with discovery rather than approval workflows. The same principle is reinforced in the NIST Cybersecurity Framework 2.0, where asset identification and continuous monitoring are prerequisites for effective control. In practice, many security teams discover unmanaged identities only after access has already been used, not through a clean inventory process.
How It Works in Practice
Effective governance starts by treating discovery as an ongoing control, not a one-time project. Security teams should aggregate identity signals from IAM, SaaS admin consoles, CI/CD systems, cloud platforms, secrets managers, and endpoint or network telemetry to build a working map of who or what can access sensitive systems. That map will remain imperfect, so the objective is coverage measurement and prioritisation, not instant completeness.
A useful operating model is to classify identities into three buckets: known and owned, known but unowned, and suspected but unconfirmed. Known and owned identities can move into normal certification and least-privilege review. Known but unowned identities should be time-boxed, investigated, and assigned to a system owner or service owner. Suspected identities, such as dormant service accounts or AI-driven integrations, should be monitored for usage before any decision is made to retain them.
This approach aligns with the OWASP Non-Human Identity Top 10, which highlights the risks created when machine identities are poorly inventoried or over-privileged. It also maps to NHIMG guidance in the NHI Lifecycle Management Guide, where onboarding, ownership, rotation, and offboarding are treated as continuous lifecycle controls. Practical controls usually include:
- Coverage metrics for cloud, SaaS, and non-human accounts as a governance KPI
- Event-based discovery from logs, token usage, and API activity to expose hidden access paths
- Ownership assignment for every identity before formal certification is accepted
- Exception handling for orphaned or shadow identities with expiry dates and escalation paths
- Periodic reconciliation between declared inventory and observed activity
Best practice is evolving toward telemetry-driven governance because static spreadsheets cannot keep up with federated SaaS estates or ephemeral automation. These controls tend to break down in highly distributed environments with unmanaged third-party integrations because no single source of truth sees every access path.
Common Variations and Edge Cases
Tighter discovery and reconciliation often increases operational overhead, requiring organisations to balance stronger governance against the reality of limited tooling, decentralised ownership, and fast-moving platform teams. That tradeoff is especially visible when business units create their own SaaS tenants or when developers embed secrets directly into pipelines.
In those environments, current guidance suggests accepting that some identities will remain partially observed for a period, but they should not be treated as approved by default. Unowned service accounts, stale API keys, and AI-connected credentials should be given short review windows, explicit owners, and revocation triggers. NHI Management Group’s State of Non-Human Identity Security found that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which shows why external access paths must be included in discovery scope.
There is no universal standard for this yet, especially for agentic systems that create and chain access dynamically. In those cases, security teams should pair identity inventory work with policy-based access logging and aggressive expiry of unused credentials, while recognising that some access will be discovered only through behaviour rather than registration. The hardest failures emerge where shadow IT, delegated SaaS, and automated workflows intersect, because identity ownership is ambiguous and revocation authority is often unclear.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | ID.AM | Asset management is the prerequisite when identity inventories are incomplete. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Discovery and inventory gaps are a core non-human identity risk. |
| NIST AI RMF | GOVERN | Governance requires accountability for AI-linked access paths and ownership gaps. |
Assign governance owners for AI-linked identities and require telemetry-backed oversight.
Related resources from NHI Mgmt Group
- How should security teams govern non-human identities that have persistent access?
- How should security teams govern API keys used for generative AI access?
- How should security teams govern access requests through IT service management tools?
- How should security teams govern automated access in IT management platforms?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
