Start with discovery coverage, not certification. If applications, service accounts, and access paths are missing from the inventory, every downstream governance step is incomplete. Teams should baseline what is visible, what is inferred, and what remains unmanaged, then use that map to decide where access reviews and policy enforcement can be trusted.
Why This Matters for Security Teams
Identity governance breaks down fastest where the estate is only partially visible. If service accounts, API keys, machine tokens, and shadow integrations are missing from the inventory, certification becomes a paperwork exercise rather than a control. Current guidance from the NIST Cybersecurity Framework 2.0 places inventory and continuous assessment ahead of enforcement for a reason: controls can only be trusted where assets are known.
That is especially true for non-human identities. NHIs are often created outside central IAM, embedded in CI/CD, or inherited by applications long after the original owner has moved on. NHIMG research shows only 5.7% of organisations have full visibility into their service accounts, while 68% do not know how to fully address NHI risk. The Ultimate Guide to NHIs makes the underlying problem plain: governance cannot start with review closure if the review population is incomplete.
Practitioners also get trapped by false confidence. A clean access review can still leave unmanaged identities untouched, including stale tokens, forgotten test accounts, and third-party integrations that were never captured by discovery. In practice, many security teams encounter exposure only after an application outage, a leaked secret, or an audit exception reveals what the inventory never knew existed.
How It Works in Practice
The practical answer is to govern the visible estate differently from the inferred estate, and to treat the unmanaged estate as an active risk queue. Start by building a source-of-truth map that combines CMDB records, cloud asset inventories, CI/CD references, secret scanners, and authentication logs. Then classify each identity path into one of three buckets: confirmed, inferred, or unknown. That triage determines which controls can be enforced immediately and which require compensating monitoring.
Discovery should not stop at names and owners. Teams need to identify where an identity authenticates, what it can reach, and whether credentials are static or short-lived. The Lifecycle Processes for Managing NHIs section of NHIMG’s guide is useful here because it ties inventory to rotation, offboarding, and review triggers. For broader identity governance structure, the NIST Cybersecurity Framework 2.0 supports a control sequence of identify, protect, detect, and respond rather than a one-time certification event.
- Apply strong enforcement first to confirmed identities with known owners and known access paths.
- Use monitored access and shorter credential lifetimes for inferred identities until ownership is established.
- Route unknown identities into remediation workflows, not annual review cycles.
- Track orphaned secrets, stale service accounts, and third-party connections as separate queues.
Where possible, automate reconciliation between discovery tools and policy engines so that new identities are evaluated at creation, not at the next audit. This is where the Top 10 NHI Issues aligns closely with practitioner reality: unmanaged growth is usually a visibility failure before it is a privilege failure. These controls tend to break down in multi-cloud environments with decentralized platform teams because ownership metadata is inconsistent across systems of record.
Common Variations and Edge Cases
Tighter discovery controls often increase operational overhead, requiring organisations to balance better coverage against pipeline friction and review fatigue. There is no universal standard for how much inferred identity risk is acceptable, so current guidance suggests setting thresholds by business criticality rather than forcing one inventory model across every environment.
Legacy applications are the hardest case. They may authenticate with embedded secrets, shared accounts, or opaque middleware that cannot be cleanly mapped to a modern identity record. In those environments, governance usually means compensating controls such as network restriction, secret rotation, and tighter logging rather than immediate full normalization. Third-party and contractor-owned integrations create another edge case because ownership can be contractual but not operationally visible, which means discovery must be paired with supplier oversight and periodic confirmation.
For organisations comparing immature and mature estates, NHIMG’s 52 NHI Breaches Analysis is a reminder that most failures emerge from hidden identities, not from the ones already under review. The right operating model is to govern uncertainty explicitly: certify what is visible, constrain what is inferred, and escalate what remains unknown until evidence exists. That approach is less elegant than a complete inventory, but it is far safer than pretending incomplete data is complete control.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Discovery gaps leave NHIs unmanaged, which this control addresses. |
| NIST CSF 2.0 | ID.AM | Asset management is the foundation for governing what cannot be fully seen. |
| CSA MAESTRO | GOV-01 | Governance must account for incomplete visibility across autonomous identity estates. |
Establish ownership, classification, and monitoring rules for confirmed, inferred, and unknown identities.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
