Yes. Service accounts, API keys, bots, and automated workloads create ongoing authentication, storage, and infrastructure demand. If they are overprovisioned or left uncleared, they increase both security risk and operational waste. Including NHIs in planning makes sustainability measurement more accurate and governance more complete.
Why This Matters for Security Teams
Organisations often separate sustainability planning from identity governance, but that split misses a real cost driver: non-human identities live inside the same compute, storage, and control plane footprint as the rest of the environment. Every service account, API key, bot, and workload token that is left over after a project ends can keep systems alive longer than needed, increase audit overhead, and expand the attack surface. That creates both operational waste and avoidable risk.
This is where measurement matters. NHI sprawl is not just a security hygiene issue; it also distorts capacity planning and makes it harder to know which assets are still actively contributing to business outcomes. NIST Cybersecurity Framework 2.0 treats governance, identification, and protection as connected functions, which is useful here because sustainability decisions depend on knowing what identities still exist and why. In practice, many security teams only notice the waste once stale access, secret leakage, or duplicated tooling has already accumulated.
How It Works in Practice
Putting NHIs into sustainability planning starts with inventory and ownership. Teams need a live register of service accounts, machine tokens, bots, certificates, and other secrets, then tie each one to a workload, business service, or approved exception. Once that linkage exists, planners can assess whether an identity is still needed, whether its privileges are excessive, and whether it can move from a long-lived credential to a short-lived, JIT-issued secret. That reduces both standing risk and the operational burden of storing, rotating, and monitoring credentials.
A practical model is to combine identity reviews with infrastructure reviews. When a workload is retired, its credentials, pipelines, secret manager entries, and logging dependencies should be removed together. If the organisation is using cloud-native automation or agentic systems, this becomes even more important because autonomous behaviour can continue calling tools long after a human owner has stopped paying attention. NIST Cybersecurity Framework 2.0 can be used to anchor this in governance, while the NIST AI Risk Management Framework helps teams account for changing behaviour in AI-enabled workloads.
The best evidence from recent NHI research shows why cleanup cannot be an afterthought. The DeepSeek breach illustrates how exposed secrets and leftover data can create both security exposure and unnecessary persistence, while the JetBrains GitHub plugin token exposure shows how third-party integrations can quietly add hidden identity sprawl. Teams should also consider whether secret storage is itself becoming wasteful; fragmented tooling adds overhead, and NHI governance is strongest when identity removal is treated as part of lifecycle management, not a separate task. These controls tend to break down when ownership is unclear across platform, application, and procurement teams because no one is accountable for decommissioning the identity end to end.
Common Variations and Edge Cases
Tighter identity governance often increases administrative overhead, so organisations have to balance sustainability gains against the cost of inventory, automation, and exception handling. That tradeoff is real, especially in environments with many ephemeral workloads or vendor-managed integrations where identity lifetimes are short and ownership is distributed.
There is no universal standard for sustainability scoring of NHIs yet, so current guidance suggests using practical proxies: number of dormant identities, credential age, secret-manager sprawl, unused privileges, and the percentage of workloads using ephemeral versus static secrets. This works best when teams treat sustainability as an outcome of better lifecycle hygiene rather than a separate carbon metric. The same approach can also surface hidden waste in AI pipelines, where reusable tokens and static service accounts can keep training, retrieval, or automation jobs alive after business value has dropped.
Edge cases matter. Some regulated systems must retain identities longer for auditability, and some high-availability services cannot rotate credentials as aggressively without downtime. In those cases, current guidance suggests compensating controls such as stronger monitoring, narrower RBAC, and JIT provisioning where feasible. The core principle is still the same: if an NHI no longer supports a live workload, it should not continue consuming identity, storage, or operational attention.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | ID.AM | Asset and identity inventory is essential to find stale NHIs. |
| NIST AI RMF | AI RMF helps govern changing behaviour in autonomous workload identities. | |
| OWASP Non-Human Identity Top 10 | NHI-01 | Excessive or stale non-human identities create avoidable risk and waste. |
Continuously inventory NHIs, remove unused credentials, and shorten credential lifetime where possible.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on May 30, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
