Subscribe to the Non-Human & AI Identity Journal
Home FAQ Governance, Ownership & Risk What do security teams get wrong about password…
Governance, Ownership & Risk

What do security teams get wrong about password hygiene under NIS2?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 11, 2026 Domain: Governance, Ownership & Risk

They often mistake complexity rules for real credential security. NIS2 is about whether credentials are trusted, monitored, and revoked when exposure appears. A policy that allows reused or breached passwords is not an effective control, even if it looks strong on paper.

Why This Matters for Security Teams

NIS2 pushes organisations to treat credential hygiene as an operational resilience issue, not a box-ticking exercise. Security teams often over-focus on password complexity, expiry rules, and periodic resets while missing the real control objective: whether an account or secret can be trusted at the moment it is used, then rapidly detected and revoked when risk changes. That distinction matters because compromised credentials remain one of the fastest paths from initial access to broader impact.

The NIS2 Directive - official EU legal text expects proportionate technical and organisational measures, which aligns more closely with monitoring, rotation, and revocation than with password composition alone. NHIMG research also shows that 71% of NHIs are not rotated within recommended time frames, and 91.6% of secrets remain valid five days after notification, which makes delay in response a bigger failure mode than weak-looking policy language. The Ultimate Guide to NHIs - Regulatory and Audit Perspectives frames this as a governance problem as much as a technical one.

In practice, many security teams encounter credential abuse only after lateral movement or service disruption has already occurred, rather than through intentional monitoring and revocation design.

How It Works in Practice

Under NIS2, password hygiene should be interpreted as part of a broader identity assurance and credential lifecycle program. For human users, that means rejecting reused or breached passwords, enforcing phishing-resistant MFA where appropriate, and monitoring for compromise signals. For non-human identities, the same logic applies more rigorously because secrets are often embedded in code, CI/CD systems, and integrations rather than protected by a person at login time.

Current guidance suggests security teams should pair policy with runtime controls: vaulting, short-lived secrets, automated rotation, detection of leaked credentials, and revocation workflows tied to incident response. The ENISA Threat Landscape is a useful reminder that credential theft is rarely isolated from broader attack chains. NHIMG research shows 96% of organisations store secrets outside secrets managers in vulnerable locations, and 79% have experienced secrets leaks, which means the practical problem is not whether a password meets a policy baseline but whether the organisation can prove exposure handling end to end.

  • Block known-breached and reused passwords, then verify enforcement through testing, not policy text.
  • Use secrets managers and automate rotation for API keys, service accounts, and administrative credentials.
  • Log authentication, secret access, and revocation events so compromise indicators are visible quickly.
  • Define time-bound ownership for every credential so offboarding and emergency invalidation are not ad hoc.

These controls tend to break down when credentials are hard-coded into legacy systems or shared across multiple services because revocation becomes disruptive and ambiguous.

Common Variations and Edge Cases

Tighter credential controls often increase operational overhead, requiring organisations to balance assurance against service continuity. That tradeoff is especially visible in industrial environments, legacy applications, and supplier-managed integrations where frequent rotation or MFA cannot simply be bolted on without outages or redesign.

Best practice is evolving for these edge cases. Some environments still rely on long-lived credentials because the application cannot support modern authentication flows, but that should be treated as a documented exception with compensating controls, not as evidence of adequate password hygiene. In third-party and machine-to-machine scenarios, the question is not whether a secret is complex, but whether its scope, lifespan, and revocation path are tightly controlled. The Ultimate Guide to NHIs - Regulatory and Audit Perspectives is particularly relevant where audit evidence must show that credential governance covers both creation and retirement, not just policy approval.

There is no universal standard for this yet across every industry, but a defensible NIS2 posture usually means demonstrating breach-aware hygiene, rapid invalidation, and continuous visibility. Teams that equate “strong password rules” with security often miss the real failure mode: credentials that are valid, unmonitored, and still trusted long after they should have been revoked.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0 and NIST AI RMF set the technical controls, and NIS2 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIS2Article 21Sets the expectation for risk management measures, including credential and access controls.
NIST CSF 2.0PR.AC-1Credential assurance depends on controlling access and authenticating identities correctly.
OWASP Non-Human Identity Top 10NHI-03Covers rotation and lifecycle gaps that make long-lived secrets risky.
NIST AI RMFAI systems and agents often rely on machine credentials that need runtime oversight.

Validate passwords and secrets against access policy, then monitor for reuse, compromise, and stale access.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org