Start with discovery, not tooling. Inventory the current state, interview stakeholders, and document pain points so the programme is based on actual risk and operational friction. Then phase the work so leadership can fund and sequence changes one stage at a time rather than confronting the entire problem at once.
Why This Matters for Security Teams
An identity security programme usually fails when it is treated as a product rollout instead of an operational change. Security teams inherit sprawling service accounts, API keys, OAuth grants, and human admin paths that were never documented together. Discovery first matters because it turns a vague concern into a scoped inventory, which is what leadership can actually fund and measure. NIST’s Cybersecurity Framework 2.0 reinforces the need to identify assets, risks, and governance before selecting controls.
NHI Management Group research shows why this sequencing is necessary: only 5.7% of organisations have full visibility into their service accounts, and 68% do not know how to fully address NHI risks. That combination makes broad, tool-led programmes look comprehensive while missing the highest-risk identities. The Ultimate Guide to NHIs also shows that NHIs outnumber human identities by 25x to 50x in modern enterprises, which means small gaps quickly become enterprise-wide exposure. In practice, many security teams encounter their first major identity failure only after a leaked secret or vendor access incident has already forced the issue.
How It Works in Practice
The least disruptive way to start is to run a bounded discovery phase and use it to define the programme charter. Begin with a current-state inventory across cloud accounts, CI/CD systems, SaaS, directories, and third-party integrations. Then classify identities by business function, privilege level, and ownership. This gives you a working picture of where risk concentrates, rather than a theoretical architecture diagram.
A practical starter sequence is:
- Identify the top 10 to 20 identity populations that create the most operational risk, such as production service accounts or externally shared API keys.
- Map each population to an owner, purpose, expiry pattern, and rotation method.
- Document pain points from application owners, platform teams, and auditors so the backlog reflects actual friction.
- Use those findings to set phased goals, such as visibility first, then rotation, then privilege reduction.
For controls, current guidance suggests focusing on short-lived credentials, stronger secret handling, and least privilege once the inventory exists. The Top 10 NHI Issues is a useful reference for prioritising common failure modes, especially where rotation and over-privilege overlap. The NIST Cybersecurity Framework 2.0 can then be used to translate findings into governance, protection, detection, and response activities. This approach avoids forcing one control standard across every team on day one and lets leadership fund the work in stages. These controls tend to break down when identity ownership is split across many teams because no single group can approve, inventory, and remediate at enterprise speed.
Common Variations and Edge Cases
Tighter identity control often increases short-term delivery friction, requiring organisations to balance risk reduction against release velocity and support load. That tradeoff is real, especially in environments with legacy applications, unmanaged vendor integrations, or repeated acquisitions. Best practice is evolving, but current guidance suggests starting with the identities that are both highly privileged and easiest to observe, rather than chasing perfect coverage immediately.
Some teams will need different entry points. Cloud-native organisations may start with workload identities and CI/CD secrets, while heavily regulated environments may prioritise administrative access and third-party OAuth grants first. The State of Non-Human Identity Security shows that lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, which makes rotation a sensible early milestone once inventory is established. Not every identity needs the same control depth at the start, and there is no universal standard for sequencing yet. The programme should scale from the highest-risk, highest-friction areas outward, not from an abstract ideal inward.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | ID.AM | Discovery and inventory are the starting point for identity risk reduction. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Programme startup depends on finding unmanaged NHIs before controls are assigned. |
| NIST AI RMF | Risk governance and operational framing help sequence the programme without overload. |
Build a scoped identity inventory first, then map controls to the highest-risk identity populations.
Related resources from NHI Mgmt Group
- How should teams structure identity security onboarding to avoid early programme failure?
- How should security teams make NHI best practices usable across the business?
- How can IAM teams reduce segregation-of-duties exceptions without slowing the business?
- How do security teams know whether identity governance is reducing risk?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 24, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
