They often focus on the hardware lifecycle and ignore the identity lifecycle. The real control question is who is authorised at the moment of use, how that access is revoked, and whether the system can prove it. Without that, lost devices and open sessions become governance failures, not just asset issues.
Why This Matters for Security Teams
Shared-device programmes are often treated as an endpoint hygiene problem, but the real exposure is identity reuse. When multiple people sign into the same phone, tablet, kiosk, or workstation, the device becomes a container for sessions, tokens, and cached access decisions. That means a clean asset inventory can still leave active access behind, especially where offboarding is slow or access is granted outside formal IAM workflows. NHI Management Group notes that only 20% of organisations have formal processes for offboarding and revoking API keys, which is a warning sign for any environment where access is handed from one person to another.
Security teams also tend to over-trust the device boundary. If the shared device can keep sessions alive, remember credentials, or bypass step-up checks, then “shared” becomes “persistently authorised.” That creates audit problems, incident response gaps, and compliance risk because the organisation may not be able to prove who acted at a specific moment. This aligns with the broader identity lifecycle issues described in the Ultimate Guide to NHIs and with the control emphasis in NIST Cybersecurity Framework 2.0.
In practice, many security teams discover shared-device abuse only after a session hijack, disputed transaction, or failed investigation has already exposed the weak handoff process.
How It Works in Practice
A defensible shared-device programme starts with identity at the moment of use, not with the physical device. Each user should authenticate separately, receive access appropriate to the task, and leave behind nothing that can be reused by the next person. That usually means short-lived sessions, rapid logout, device lock on inactivity, and strong revocation on role change, shift change, or exit. Where possible, session binding should be tied to a specific user and a specific context, so the device cannot silently inherit authority from the previous user.
For higher-risk environments, teams should treat the device as an access broker rather than an identity source. That means using MFA, context-aware policy, and centralized logging for every handoff. The same control logic should apply whether the shared endpoint is a retail kiosk, a warehouse scanner, a clinical workstation, or a contractor laptop. The important question is whether the system can prove the current user and terminate that user’s access immediately after use.
- Require unique authentication for every handoff, even on the same device.
- Disable persistent sign-in, browser password saving, and long-lived refresh tokens where feasible.
- Use conditional access and step-up controls for sensitive workflows.
- Automate session termination when shift, location, or employment status changes.
- Log identity, time, and device context for each access event.
In the NHI context, this is the same lifecycle discipline that protects service accounts and API keys: access must be issued, bounded, monitored, and revoked. NHI Management Group’s Ultimate Guide to NHIs highlights how weak revocation and excessive privilege turn routine access into persistent exposure, and the same pattern appears on shared endpoints. These controls tend to break down when shared devices must function offline for long periods because revocation, logging, and policy checks cannot be enforced in real time.
Common Variations and Edge Cases
Tighter session controls often increase friction for frontline users, requiring organisations to balance usability against the need for provable access control. That tradeoff is real in environments like hospitals, warehouses, schools, and retail, where speed matters and devices are intentionally pooled. Current guidance suggests the safest approach is not blanket trust, but tiered trust: low-risk functions can use simpler re-authentication, while sensitive actions should require stronger proof and shorter session lifetimes.
One common edge case is the shared kiosk or shared browser profile that supports multiple users without full logout. That design often leaves tokens, autofill data, and application state behind, which defeats the purpose of a shared-device programme. Another is contractor or seasonal-worker access, where teams focus on badge return but forget to revoke application sessions. In mature programmes, device cleanup, identity revocation, and audit logging are linked as one process, not three separate tickets.
There is no universal standard for every shared-device pattern yet, but the direction is clear: access should be time-bound, attributable, and revocable. Where organisations need a policy baseline, the NIST Cybersecurity Framework 2.0 is useful for structuring governance, while the NHI lesson is to treat every handoff as an identity event, not just a device event. Shared-device programmes fail fastest when offline caches, shared profiles, or unmanaged app sessions allow the next user to inherit the previous user’s authority.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Shared devices often fail when credentials and sessions are not rotated or revoked. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions must be enforced and removed at the moment of use. |
| NIST AI RMF | The governance lesson is identity attribution and accountability at runtime. |
Use AI RMF governance thinking to ensure access, logs, and accountability survive each handoff.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 25, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
