Ungoverned self-service catalogues turn convenience into policy drift. Users may see apps that should be restricted, approvers may lack context, and denied requests may not leave a usable record. Over time, the catalogue starts defining access norms instead of reflecting them.
Why This Matters for Security Teams
Self-service catalogues are supposed to reduce friction, but without governance they become an access-policy shadow system. Users can request items that no longer match approved access tiers, approvers may rubber-stamp requests without context, and denied items may never be recorded in a way that supports audit or remediation. That creates a gap between formal identity policy and day-to-day delivery.
This is not just an operational nuisance. Catalogue drift affects entitlement accuracy, separation of duties, and evidence quality during reviews. NHI Management Group’s Ultimate Guide to NHIs shows that 97% of NHIs carry excessive privileges, which is exactly the kind of risk that expands when catalogues expose the wrong options or fail to preserve approval intent. The governance problem is also consistent with the access review emphasis in NIST Cybersecurity Framework 2.0, where identity decisions must remain traceable and enforceable. In practice, many security teams discover catalogue-induced privilege creep only after an audit exception, not through proactive control design.
How It Works in Practice
A governed catalogue should function as an enforced policy interface, not a static menu of available requests. Each service, app, API key, role, or NHI entitlement needs to map to an approved owner, an allowed requester population, an approval path, a review cadence, and a revocation process. If the catalogue does not carry those constraints, the request workflow becomes a convenience layer that bypasses security design.
At minimum, practitioners should align catalogue entries to authoritative identity records and lifecycle controls. That means making sure the request object reflects the real entitlement, the approver has sufficient context, and the final grant is time-bound where possible. The Lifecycle Processes for Managing NHIs section is useful here because catalogue governance should mirror provisioning, rotation, and offboarding rather than ignoring them.
- Restrict catalogue visibility by role, business unit, environment, or data sensitivity.
- Attach policy metadata to each item so approval logic is deterministic.
- Log denials, overrides, and exceptions as durable evidence.
- Synchronise the catalogue with joiner-mover-leaver and offboarding workflows.
- Review catalogue entries for stale apps, duplicate entitlements, and hidden admin paths.
For auditability, the request path should preserve who asked, who approved, what was granted, and why the item was eligible. That evidence is especially important where catalogues include NHIs, because the same weak control patterns often show up in service accounts, API keys, and automation tokens. NHI Management Group’s Top 10 NHI Issues research reinforces that weak governance commonly shows up as overexposure and poor lifecycle control. These controls tend to break down in fast-moving environments with local admin exceptions because the catalogue stops matching the authoritative entitlement source.
Common Variations and Edge Cases
Tighter catalogue governance often increases friction for business teams, so organisations must balance request speed against control integrity. That tradeoff is real, especially when the catalogue serves both human access and automated NHIs, because different request types need different approval depth and review cadence.
Best practice is evolving, but current guidance suggests a few patterns. First, high-risk items should never be fully self-approved, even if the catalogue makes that possible. Second, low-risk items can be streamlined, but only if the entitlement is already pre-approved and the control boundaries are explicit. Third, exception handling needs its own workflow; otherwise, temporary bypasses become permanent access paths. NHI Management Group’s Regulatory and Audit Perspectives section is relevant because regulators and auditors care less about catalogue convenience than about whether the access trail is defensible.
Edge cases appear when catalogues span multiple environments, acquired business units, or third-party integrations. In those settings, local naming conventions and inconsistent ownership can make a catalogue look complete while silently omitting critical controls. Where evidence quality matters, teams should treat catalogue governance as part of identity governance, not as a separate UX problem. If there is no reliable entitlement source of truth, the catalogue will eventually define policy by accident rather than by design.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Catalogue drift often exposes overprivileged NHIs and weak lifecycle control. |
| NIST CSF 2.0 | PR.AC-4 | Access approval and entitlement governance map directly to controlled permissions. |
| NIST AI RMF | Governance failures mirror broader AI and automation accountability gaps. |
Require catalogue requests to enforce least privilege, approval traceability, and periodic access review.
Related resources from NHI Mgmt Group
- Why do self-service app catalogues create governance risk if they are not tightly controlled?
- Why do self-service employee workflows create IAM risk if they are not governed?
- How do cloud teams know whether self-service is still governed?
- What breaks when self-service portals provision access without lifecycle controls?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
