Orphaned access survives. That means vendor accounts, tokens, or integrations may still reach sensitive systems after the supplier no longer needs them, which turns a closed relationship into a standing exposure. The failure is lifecycle control, not simply a missed administrative task.
Why This Matters for Security Teams
Verified offboarding is what turns a relationship ending into access ending. When that verification is missing, vendor accounts, API keys, service principals, and automation paths can continue to authenticate long after the business rationale has disappeared. That creates a control gap across IAM, PAM, and secrets governance, not just a cleanup issue. NHI Management Group’s NHI Lifecycle Management Guide treats offboarding as a lifecycle control because revocation, rotation, and decommissioning must be proven, not assumed.
The risk is amplified by the scale of non-human access and by poor visibility into where it lives. In the Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs, NHI Management Group notes that only 20% of organisations have formal processes for offboarding and revoking API keys, while 96% store secrets outside secrets managers in vulnerable places such as code, config files, and CI/CD tools. That means one missed deprovisioning step can leave multiple copies of the same vendor access behind. Current guidance from the NIST Cybersecurity Framework 2.0 points to continuous protection and access governance, but the practical problem is proving the vendor is fully removed from every trust path.
In practice, many security teams encounter the failure only after a vendor contract has ended and an old integration is still reachable from production.
How It Works in Practice
Verified vendor offboarding should combine identity deactivation, secret revocation, and technical validation. A ticket marked closed is not evidence; the organisation needs confirmation that every vendor identity has lost the ability to authenticate, every token has been invalidated, and every shared credential has been rotated where exposure is possible. That is why NHI governance maps so closely to Zero Trust thinking. The Top 10 NHI Issues highlights lifecycle failures because orphaned machine access often persists in parallel systems that are not owned by the same team.
- Revoke the vendor’s primary identity in IAM, SSO, or the cloud control plane.
- Rotate or replace any API keys, certificates, SSH keys, and shared secrets the vendor touched.
- Disable webhooks, CI/CD runners, service accounts, and automation jobs tied to that vendor.
- Check logs for recent use, then validate that access has actually stopped, not merely been disabled in one directory.
- Document proof of revocation and assign an owner for any residual dependency.
Frameworks such as NIST Cybersecurity Framework 2.0 support the operational expectation that access is governed continuously, while the Schneider Electric credentials breach shows how credentials left in circulation can be operationally damaging even after the original business need is gone. These controls tend to break down when vendors have embedded access in multiple business units, because no single team can see or revoke the full trust chain.
Common Variations and Edge Cases
Tighter offboarding control often increases operational overhead, requiring organisations to balance faster supplier exit against stronger assurance that nothing remains active. Best practice is evolving on how much automation should be mandatory versus manual for high-risk vendors, but there is no universal standard for this yet. For low-risk contractors, some teams accept checklist-driven revocation; for privileged suppliers, current guidance suggests proof-based validation, layered approval, and a final credential sweep.
The hardest edge cases are shared accounts, embedded integrations, and third-party managed tooling. A vendor may not hold a single named account at all, but instead operate through a shared service principal, a certificate in a pipeline, or a token stored in a vault that another team also uses. In those situations, verified offboarding must include ownership tracing and dependency mapping, because revoking one identity may not remove the actual access path. The Ultimate Guide to NHIs — The NHI Market underscores how widely NHIs are distributed across modern enterprises, which is why offboarding is as much about discovery as it is about deactivation. When vendors operate inside CI/CD, cloud automation, or backup tooling, manual offboarding often misses hidden secrets that continue to authenticate long after the contract ends.
In mature environments, the question is not whether a vendor was removed from the contract list, but whether the organisation can prove the last remaining credential was actually dead.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Offboarding fails when NHI credentials are not revoked or rotated. |
| NIST CSF 2.0 | PR.AC-4 | Vendor offboarding is an access governance and least-privilege control. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires continuous verification, not assumed access removal. |
Map vendor access to PR.AC-4 and require proof of revocation before closing offboarding.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
