No. A single workflow usually hides important differences in lifecycle, revocation, and accountability. Human access is tied to employment and role change, while NHIs and agents need credential, secret, or delegation controls that can be enforced independently. Use one governance model, but separate operational paths for each identity type.
Why This Matters for Security Teams
A single governance workflow sounds efficient, but it usually collapses three very different identity problems into one process. Humans change through hiring, leave, and role movement. NHIs change through secrets, tokens, certificates, and service ownership. AI agents change through task context, delegation, and runtime behaviour. When those paths are merged, revocation slows down, accountability gets blurred, and exceptions become permanent.
For NHIs, the operational risk is not abstract. NHI-specific failures often begin with overlong credential lifetimes, weak rotation, or hidden third-party access. NHI Management Group has repeatedly highlighted how governance gaps show up in real incidents, including patterns discussed in Top 10 NHI Issues and the Lifecycle Processes for Managing NHIs. Vendor research reinforces the point: the State of Non-Human Identity Security report found that only 1.5 out of 10 organisations are highly confident in securing NHIs.
Industry guidance also points away from one-size-fits-all workflows. The NIST AI Risk Management Framework and the OWASP Agentic AI Top 10 both stress that AI systems require context-sensitive controls, not static approval chains. In practice, many security teams encounter excessive standing access only after a credential leak, agent misuse, or audit finding has already exposed the mismatch.
How It Works in Practice
The right approach is one governance model with separate operational workflows. That means shared policy intent, shared ownership, and shared reporting, but different enforcement paths for people, NHIs, and agents. The policy should define who approves access, what evidence is required, how revocation works, and which identity type the control applies to. The workflow should then branch at runtime based on the identity being governed.
For humans, governance usually follows employment status and RBAC. For NHIs, it should follow workload ownership, secret issuance, rotation, and revocation. For AI agents, current guidance suggests using workload identity and task-scoped authorisation instead of assuming a stable user-like profile. That aligns with the direction of the CSA MAESTRO agentic AI threat modeling framework and the NIST AI RMF, both of which emphasise runtime risk decisions and traceability.
- Use human identity workflows for joiner, mover, leaver actions, certifications, and role-based approvals.
- Use NHI workflows for secret issuance, TTL enforcement, rotation, certificate renewal, and service ownership.
- Use agent workflows for delegated permissions, per-task credentials, policy-as-code checks, and automatic revocation on completion.
- Evaluate authorisation in real time when the request comes in, not only during provisioning.
For agentic systems, the important shift is from static access lists to intent-aware controls. A service account with broad standing privileges can be safer than a human account in one environment and far riskier in another if an agent can chain tools, move laterally, or operate faster than manual review can react. Workload identity, such as SPIFFE-style identity or short-lived OIDC tokens, gives stronger proof of what the workload is than a long-lived shared secret. These controls tend to break down when legacy apps cannot distinguish between human, service, and agent requests because every call is forced through the same approval and token model.
Common Variations and Edge Cases
Tighter separation often increases operational overhead, requiring organisations to balance governance clarity against tooling complexity. That tradeoff is real, especially in smaller teams that want one portal, one approver list, and one audit trail. Current guidance suggests resisting that simplification when identity types have different failure modes, but there is no universal standard for how far the separation should go yet.
Some environments can share front-end intake while still using distinct back-end controls. For example, a request to create access may begin in the same ticketing system, but the human approval path can map to HR records while the NHI path maps to application ownership and secret management. Agent governance may also need stronger runtime controls than either humans or NHIs, especially where tool chaining, autonomous retries, or external API calls are allowed. The Ultimate Guide to NHIs and the Moltbook AI agent keys breach illustrate why long-lived keys and broad delegation are especially dangerous when agents can act continuously.
That said, convergence can still make sense at the policy layer. Shared standards for logging, ownership, review cadence, and exception handling reduce confusion. The mistake is to unify the workflow mechanics so completely that a leaver event, an expired service token, and an agent delegation revocation all follow the same operational path. In mixed environments, that delay is exactly where incidents persist longer than they should.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10, OWASP Agentic AI Top 10 and CSA MAESTRO define the specific risk controls and attack patterns relevant to this topic.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Highlights weak rotation and long-lived NHI credentials as core governance failures. |
| OWASP Agentic AI Top 10 | Agentic systems need runtime, context-aware controls rather than static human-style workflows. | |
| CSA MAESTRO | MAESTRO addresses autonomous agent risk, delegation, and runtime decision points. |
Separate NHI rotation and revocation from human offboarding and enforce short TTLs.
Related resources from NHI Mgmt Group
- Should organisations use the same controls for humans, NHIs, and AI agents?
- How should organizations approach the governance of AI agents?
- How should organisations use AI agents in access reviews without losing governance control?
- Should organisations use the same access model for humans and AI agents?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 9, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
