Subscribe to the Non-Human & AI Identity Journal
Home FAQ Governance, Ownership & Risk What do security teams get wrong about manual…
Governance, Ownership & Risk

What do security teams get wrong about manual maintenance jobs?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 8, 2026 Domain: Governance, Ownership & Risk

They assume recurring admin work will happen consistently without a formal control. In practice, manual tasks are easy to delay during busy periods, and once the work is forgotten, the resulting buildup can affect performance long before anyone notices the root cause.

Why This Matters for Security Teams

Manual maintenance jobs look harmless because they are routine, but that is exactly why they are often left outside formal control design. Security teams commonly assume an admin task will happen on schedule without needing an explicit owner, verification step, or alert when it does not. The result is not just operational drift; it is accumulation, stale state, and avoidable exposure that can sit unnoticed until performance drops or an incident forces a review. NIST’s NIST Cybersecurity Framework 2.0 is useful here because it treats governance, monitoring, and recovery as active disciplines rather than background assumptions.

In NHI-heavy environments, manual jobs often touch secrets, rotation schedules, certificates, logs, cleanup tasks, and access reviews. When those jobs are not enforced through workflow and evidence, the organisation has no reliable signal that the work happened. That is where small delays become security debt, especially when dormant credentials or expired artifacts remain in place long enough to be exploited. The issue is not the job itself, but the false belief that recurring human action behaves like an automated control. In practice, many security teams encounter the failure only after backlog, outage, or credential sprawl has already become visible.

How It Works in Practice

The practical mistake is treating recurring maintenance as if reminder culture equals control. A manual task may be documented, but unless it has an accountable owner, deadline, verification, and escalation path, it is still optional in day-to-day operations. Current guidance suggests converting high-risk recurring work into a managed control with evidence, especially when the task affects secrets, certificates, NHI access, or cleanup of stale system state.

For example, a maintenance job might include:

  • rotating long-lived credentials before their TTL becomes operationally risky;
  • reviewing orphaned NHIs and service accounts;
  • clearing expired certificates, tokens, and stale API keys;
  • validating that patch or maintenance windows actually completed;
  • recording completion in a system that can be audited, not just remembered.

This is where governance matters. A manual job should be designed like a control objective, not a courtesy. If the work is important enough to affect production stability or security posture, it should have an explicit trigger, an escalation rule when missed, and a measurable outcome. The State of Non-Human Identity Security report from Astrix Security & CSA found that lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, which reinforces how quickly “we’ll do it later” becomes exposure.

Security teams should also distinguish between tasks that can remain human-executed and those that should be automated. If the task is frequent, failure-prone, or security-sensitive, automation with logging is usually the safer model. If it must remain manual, then the control needs compensating evidence such as ticket closure, peer review, or exception tracking. These controls tend to break down in lean operations with shared admin ownership and no single system of record, because the work becomes invisible the moment staff get busy.

Common Variations and Edge Cases

Tighter maintenance control often increases operational overhead, requiring organisations to balance reliability against staff capacity and change friction. That tradeoff is real: some environments cannot fully automate every admin job because of legacy systems, vendor constraints, or change-control requirements. Best practice is evolving, but the principle is stable: the more security-sensitive the task, the less acceptable it is to rely on memory and goodwill alone.

One edge case is low-frequency work such as quarterly access recertification or annual certificate replacement. These jobs are especially easy to miss because they do not create daily noise, yet a missed cycle can leave stale access or expired trust material in place for months. Another edge case is shared responsibility between infrastructure, application, and security teams. If ownership is split, each group may assume another group handled the work, which is how routine maintenance becomes nobody’s problem.

Manual work also becomes riskier when the organisation has poor visibility into NHI inventory or secret sprawl. In those environments, the real issue is not just missed maintenance but the absence of a dependable control map. The LLMjacking research shows how quickly exposed credentials can be abused, which is a reminder that delayed maintenance is not merely inefficient, it can shorten the time attackers have to find and use what should have been removed. The practical answer is to instrument the work, not trust the calendar.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Manual upkeep often fails when rotation and cleanup are not enforced.
NIST CSF 2.0PR.IP-1Recurring maintenance is a process control, not an informal habit.
NIST AI RMFThe governance function applies to recurring operational controls and accountability.

Automate secret rotation and verify recurring maintenance with auditable completion evidence.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org