Manual identity access management breaks when approvals, removals, and reviews are handled in disconnected tools that do not share lifecycle state. The result is policy drift, orphaned access, and weak audit evidence. Organisations often believe they are controlling access, but they are really reconciling it after the fact, which leaves gaps open long enough for compliance failure or misuse.
Why This Matters for Security Teams
When spreadsheets and ticket queues become the system of record for access, identity governance stops being enforceable and becomes descriptive. Security teams lose a reliable lifecycle state for who approved what, when access should expire, and whether removals actually happened. That is especially risky for non-human identities, where service accounts, API keys, and automation tokens can persist long after the human requester has moved on.
NHIMG’s Ultimate Guide to NHIs notes that only 5.7% of organisations have full visibility into their service accounts, which shows how often access is managed without a trustworthy inventory. The problem compounds when approvals live in email, removals live in another queue, and reviews are done later in a spreadsheet that may already be stale. That creates policy drift, weak evidence, and a false sense of control. The OWASP Non-Human Identity Top 10 treats these lifecycle gaps as a direct security issue, not just an admin inconvenience.
In practice, many security teams encounter overprovisioned access only after a dormant account, forgotten token, or delayed deprovisioning has already been exploited.
How It Works in Practice
Manual IAM usually fails in three places: provisioning, recertification, and revocation. A request is approved in a ticket, but the granted access is copied into a spreadsheet, and the actual entitlement is applied later by an operator. If the employee changes roles, the spreadsheet is updated but the downstream system is not. If the identity is an NHI, the blast radius is often larger because credentials may be embedded in code, CI/CD, or scripts. NHIMG’s Lifecycle Processes for Managing NHIs and 52 NHI Breaches Analysis both show how lifecycle breaks become security events when credentials outlive their purpose.
Good practice is to collapse the gap between approval and enforcement. That means:
- Use one authoritative identity source, not a spreadsheet copy, to define access state.
- Automate joiner-mover-leaver and equivalent NHI lifecycle events so removals are not dependent on human follow-through.
- Make recertification evidence come from live entitlements, not manually reconciled exports.
- Track secrets, service accounts, and API keys with ownership, expiry, and revocation status.
- Prefer workflow controls that can trigger actual deprovisioning, not just record an approval decision.
For broader governance language, the NIST Cybersecurity Framework 2.0 reinforces that access control, asset visibility, and continuous monitoring must operate as connected functions, not disconnected paperwork. Where teams still rely on tickets, the evidence trail often proves only that someone asked for a change, not that the change was implemented or later removed. These controls tend to break down in fast-moving environments with many service accounts, because manual reconciliation cannot keep pace with the rate of entitlement change.
Common Variations and Edge Cases
Tighter approval workflows often increase operational overhead, so organisations must balance speed against control. That tradeoff is acceptable for low-risk access requests, but it becomes dangerous when temporary exceptions become the norm or when access is granted to automation that never appears in a human review queue.
There is no universal standard for spreadsheet-based recertification, but current guidance suggests treating it as an evidence artifact, not a control. If the spreadsheet is the only record, it is already a sign that lifecycle state is fragmented. In practice, some organisations use tickets for intake and approval while still enforcing changes through IAM or PAM platforms; that can work if the authoritative state is updated automatically. The failure mode is when the ticket becomes the system of control and the actual entitlement is left to memory, inbox searches, or after-the-fact cleanup.
NHIMG’s Regulatory and Audit Perspectives and Top 10 NHI Issues both point to the same operational lesson: if revocation, ownership, and review cannot be proven from live systems, audit readiness is fragile. A spreadsheet can document intent, but it cannot substitute for enforcement when identities proliferate across cloud, code, and automation.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Manual tracking often leaves NHI credentials unrotated or unrevo ked. |
| NIST CSF 2.0 | PR.AC-4 | Access rights must be managed and reviewed through enforced control, not manual records. |
| CSA MAESTRO | MAESTRO addresses governance gaps when human workflows cannot keep pace with autonomous access. |
Operationalise policy enforcement so identity state changes are executed automatically, not by ticket follow-up.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 24, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
