They often treat inventories as a list of accounts instead of a map of access. That misses the real risk, which is how an identity can move through inheritance, delegated trust, and cross-platform permissions. A complete inventory should answer who owns the identity, what it can reach, and what it can reach next.
Why This Matters for Security Teams
Identity inventories fail when they are built as static account registers rather than operational maps of access, ownership, and delegation. That blind spot is especially dangerous for NHIs because service accounts, API keys, OAuth grants, and workload credentials often inherit trust across systems without a human ever “logging in.” NIST Cybersecurity Framework 2.0 treats identity as part of governance and access control, not a one-time spreadsheet exercise, which is why inventory quality directly affects control effectiveness.
NHIMG research shows the scale of the problem. In Ultimate Guide to NHIs, 97% of NHIs are reported to carry excessive privileges, while only 5.7% of organisations have full visibility into their service accounts. That combination means teams are often reviewing the wrong object, then assuming the inventory is complete because the account exists somewhere in a directory. Real risk sits in the links between identities, permissions, secrets, and downstream trust paths.
In practice, many security teams discover hidden access only after an incident reveals how far a single credential could move across platforms.
How It Works in Practice
A useful identity inventory should answer four questions: who owns the identity, what system created it, what it can access now, and what it can access next through inherited or delegated trust. That means inventory data has to be stitched together from IAM, cloud permissions, SaaS apps, CI/CD tooling, vaults, and audit logs. A service account with no recent activity may still be the most dangerous entry in the estate if it holds long-lived secrets or is referenced by automation that no one monitors.
Current guidance suggests treating this as a graph problem rather than a list problem. NIST guidance on identity and access management aligns with this by emphasizing control over authentication, authorisation, and governance as ongoing functions, not periodic checks. For NHI-specific lifecycle issues, the NHI Lifecycle Management Guide is useful because it frames creation, use, rotation, and offboarding as linked stages rather than separate admin tasks. The same is true for the Top 10 NHI Issues, where visibility gaps and over-privilege repeatedly show up as root causes.
- Map each identity to an owner, purpose, and expiry condition.
- Record direct entitlements plus inherited access through groups, roles, and app-to-app trust.
- Capture secret location, rotation status, and last observed use.
- Track downstream systems and workflows that depend on the identity.
The best inventories also flag third-party exposures, especially OAuth grants and vendor integrations, because those often bypass normal access review workflows. These controls tend to break down in fragmented environments where cloud, SaaS, and CI/CD records are maintained in separate tools with no shared ownership model.
Common Variations and Edge Cases
Tighter inventory controls often increase maintenance overhead, requiring organisations to balance visibility against the cost of continuous reconciliation. That tradeoff is especially visible in environments with ephemeral workloads, infrastructure-as-code, or delegated administration, where identities may be created and destroyed faster than a quarterly review can capture them.
There is no universal standard for how much lineage detail an inventory must retain, but current best practice is evolving toward minimum viable provenance: origin, owner, permissions, and revocation path. In higher-risk environments, teams should include secrets provenance and trust-chain mapping, not just account metadata. NHIMG’s State of Non-Human Identity Security reports that only 1.5 out of 10 organisations are highly confident in securing NHIs, which reinforces that completeness is not the same as control.
Edge cases matter. Shared service accounts, break-glass credentials, external vendor OAuth apps, and machine identities embedded in pipelines often fall outside normal identity review cycles. These cases should be handled explicitly, with separate ownership and review cadences, because the inventory model breaks down when the identity exists in one platform but its effective access is enforced in another.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Identity inventories must capture ownership, secrets, and privilege paths. |
| NIST CSF 2.0 | ID.AM-5 | Asset management includes identities and their dependencies across environments. |
| CSA MAESTRO | GOV-2 | Agent and workload governance depends on clear identity lineage and accountability. |
Maintain an inventory of identities and their trust relationships, not just named accounts.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 24, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
