Governance breaks at the first step because reviews, offboarding, and SoD can only operate on what discovery found. Shadow apps, direct API access, shared accounts, and other out-of-band access remain outside the control model. If the access surface is larger than the IdP view, the programme will always undercount real risk.
Why This Matters for Security Teams
Limiting discovery to SSO-connected applications creates a false sense of coverage. The IdP only sees a slice of the access surface, while governance decisions such as review, offboarding, and segregation of duties depend on complete inventory. If direct API calls, shared accounts, embedded credentials, or SaaS admin paths are missing, the programme is measuring compliance against an incomplete map. That is why this problem often shows up first in incident response, not in an access review.
NHI Management Group’s Ultimate Guide to NHIs notes that only 5.7% of organisations have full visibility into their service accounts, which is a useful reminder that identity sprawl is usually wider than the SSO catalogue suggests. Current guidance from the NIST Cybersecurity Framework 2.0 still depends on accurate asset and identity inventory before control assessment can be trusted. In practice, many security teams encounter the gap only after an offboarding miss, an overprivileged service account, or a shadow integration has already been abused.
How It Works in Practice
SSO-connected application discovery usually starts with the identity provider and pulls from federated sign-ins, SCIM provisioning, and app catalog integrations. That is useful, but it is not the same as discovering all access paths. A mature NHI programme must also find non-federated applications, direct API clients, workloads using long-lived secrets, and administrative sessions that never touch the SSO flow. NHI Management Group’s NHI Lifecycle Management Guide and Top 10 NHI Issues both emphasise that inventory must extend beyond human login events if lifecycle controls are going to work.
Practitioners usually need to combine multiple discovery sources:
- IdP logs and SSO app catalogs for federated access.
- Cloud audit trails for service principals, roles, and machine-to-machine sessions.
- Secret scanners and vault inventories for API keys, tokens, and certificates.
- Code repositories, CI/CD pipelines, and config stores for embedded credentials.
- Network and SaaS admin telemetry for direct access that bypasses the IdP.
That broader view matters because access reviews built only from SSO data will miss shadow apps and out-of-band identities, so recertification becomes selective rather than complete. The result is a governance model that looks clean on paper but cannot support real offboarding or segregation-of-duties decisions. These controls tend to break down in hybrid environments where legacy apps, service accounts, and manually issued credentials coexist because the IdP never becomes the single source of truth.
Common Variations and Edge Cases
Tighter discovery often increases operational overhead, requiring organisations to balance completeness against implementation cost. There is no universal standard for how much non-SSO discovery must be included, but current guidance suggests the answer should match the highest-risk access paths first, not the easiest ones to inventory. SSO coverage may be sufficient for low-risk SaaS, yet it is usually inadequate for production systems, third-party integrations, or any environment where secrets can be reused outside the IdP.
Edge cases are common. Shared accounts may never appear as discrete identities, direct database connections may use application secrets instead of user sessions, and privileged automation may authenticate through workload tokens rather than interactive login. In those cases, discovery needs to identify the credential, the workload, and the system owner, not just the app name. This is especially important when an access review relies on an IdP export as the only evidence source, because the review will silently exclude the identities that matter most. Where organisations have strong SSO adoption but weak secrets governance, the gap is often best measured by comparing the IdP catalogue against vault data and cloud entitlement inventories.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Incomplete discovery causes hidden NHI inventory gaps and missed access paths. |
| NIST CSF 2.0 | ID.AM-1 | Asset inventory must include identities and access paths outside the IdP view. |
| CSA MAESTRO | IM-1 | Agent and workload discovery requires broader inventory and governance coverage. |
Map all applications and identities, then validate the inventory against cloud, vault, and SaaS logs.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 5, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org