What breaks when shadow data is not included in access reviews?

Why This Matters for Security Teams

Access reviews are supposed to answer a simple question: who can reach what, and why. When shadow data is excluded, that answer becomes incomplete by design. Teams may certify the obvious repositories while missing copies in old shares, forgotten SaaS workspaces, backups, exports, and automation paths that still contain the same sensitive material. That creates a false sense of control, especially when NHI access is involved because service accounts, API keys, and jobs often bypass human review workflows. The risk is not just leftover access, but misaligned remediation that removes the wrong path and leaves the real exposure intact. NHI Management Group notes that only 5.7% of organisations have full visibility into their service accounts in the Ultimate Guide to NHIs — Key Research and Survey Results, which is exactly why hidden copies matter so much. Current guidance in the OWASP Non-Human Identity Top 10 treats visibility and entitlement accuracy as core controls, not optional hygiene. In practice, many security teams discover shadow data only after a review has already signed off on an access pattern that never covered the real storage locations.

How It Works in Practice

A useful access review must cover data location, identity path, and exposure path together. If the review only checks a named repository, it misses copies created by sync jobs, exports, analytics pipelines, ticket attachments, email forwarding, object storage replication, and developer test datasets. That is where NHI governance becomes operational: the identities that touch shadow data are often non-human, long-lived, and poorly inventoried. The relevant question is not just “who has access?” but “which credentials, tokens, and automated workflows can still reach this data?” Practitioners usually need three moves:

• Inventory shadow data sources before certification, including unmanaged shares, archived stores, and derived datasets.
• Map access to the actual workload identity, not just the person who requested it, using the service account or automation account that performs the access.
• Review the secret or token lifecycle so stale credentials cannot preserve access after the source system is cleaned up.

This is where lifecycle controls matter. The NHI Lifecycle Management Guide frames discovery, rotation, and offboarding as continuous activities, which is the correct model when shadow data can persist outside the original system of record. The OWASP Non-Human Identity Top 10 also reinforces that excessive privilege and weak secret governance are common failure modes, especially when access reviews are performed as checkbox exercises. A 2024 NHI Mgmt Group finding in the Ultimate Guide to NHIs reports that 97% of NHIs carry excessive privileges, which shows why review scope must include the accounts that can silently retain access. These controls tend to break down when shadow copies live in ad hoc collaboration tools and CI/CD-linked storage because those locations are rarely tied into the normal review inventory.

Common Variations and Edge Cases

Tighter review scope often increases operational overhead, requiring organisations to balance completeness against the effort of finding every hidden copy. That tradeoff becomes sharper in distributed environments, where data is replicated for analytics, resilience, or partner exchange. There is no universal standard for how aggressively every shadow location must be searched, but current guidance suggests the review should at minimum cover high-risk data classes, privileged automation paths, and locations with persistent or inherited permissions. Edge cases matter. A file share with no active human users may still be exposed through a nightly export job. A decommissioned application may still have a valid API key in a secrets store. A repository with “read-only” access may still leak sensitive data because a downstream pipeline copied it elsewhere. In those situations, removing entitlements from the source system provides little real reduction in exposure. The 52 NHI Breaches Analysis is useful here because it illustrates how overlooked non-human paths often persist after the obvious access has been cleaned up. Best practice is evolving toward access certification plus data lineage validation, but there is no universal standard for shadow-data reconciliation yet. Organisations should therefore treat uncatalogued repositories as unresolved risk, not as cleanly approved assets.

Related resources from NHI Mgmt Group

• What breaks when SaaS subscriptions are not tied to access reviews?
• How should security teams run access reviews for non-human identities?
• When do NHI access reviews create more value than a one-time cleanup?
• What breaks when access reviews rely on memory instead of ownership data?