Design effectiveness asks whether a control should satisfy the requirement on paper. Operating effectiveness asks whether that control actually works in practice and produces evidence over time. In DORA contexts, both matter, because a documented control that cannot generate proof is still a compliance gap.
Why This Matters for Security Teams
Design effectiveness and operating effectiveness answer two different audit questions, and teams often blur them. A control can be perfectly stated in a policy, mapped to a framework, and approved by management, yet still fail because it is not implemented, not used, or cannot prove it worked over time. That distinction matters in DORA, where evidence of resilience is as important as the control statement itself.
For NHI-heavy environments, this gap is easy to miss because secrets, service accounts, API keys, and automation tokens are often spread across CI/CD, vaults, code, and cloud platforms. NHIMG research shows that 96% of organisations store secrets outside secrets managers in vulnerable locations, which makes proof of operating effectiveness harder to produce and easier to dispute. See Ultimate Guide to NHIs — Regulatory and Audit Perspectives and NIST Cybersecurity Framework 2.0 for the control and evidence mindset auditors expect.
In practice, many security teams encounter operating failures only after an audit asks for sample evidence and the control cannot prove it was actually working.
How It Works in Practice
Design effectiveness is assessed by asking whether the control is logically capable of meeting the requirement. For example, a policy that requires all API keys to be vaulted, rotated, and logged may be well designed if the process and roles are clear. Operating effectiveness asks whether the organisation can show that those steps happened consistently, with evidence, across the audit period. That usually means records, tickets, logs, screenshots, alerts, and system outputs that demonstrate the control was active, not merely described.
Auditors typically test operating effectiveness by sampling transactions, time periods, and system events. For NHI controls, that can include secret rotation records, privileged access review outputs, vault audit logs, token issuance history, and offboarding evidence for service accounts. The key difference is traceability: a control is not operating effectively if it depends on ad hoc human memory or undocumented exception handling. The Top 10 NHI Issues resource is useful here because it shows how often gaps emerge in visibility, rotation, and privileged access, while the NHI Lifecycle Management Guide helps translate audit expectations into repeatable lifecycle evidence.
- Design effectiveness: is the control written clearly and mapped to the requirement?
- Operating effectiveness: did the control run as intended throughout the period?
- Evidence: can the organisation prove execution with durable records, not assertions?
Where possible, align evidence collection to the control itself. For example, if rotation is the control, use system-generated rotation logs rather than manual attestations. If access review is the control, preserve reviewer sign-off, scope, and remediation proof. These controls tend to break down when NHI ownership is unclear across DevOps, platform, and security teams because no single group can produce end-to-end evidence.
Common Variations and Edge Cases
Tighter evidence requirements often increase operational overhead, so organisations have to balance auditability against the cost of automation and recordkeeping. That tradeoff is especially visible when a control is technically strong but operationally brittle, such as a manual quarterly review for thousands of service accounts.
There is no universal standard for this yet, but current guidance suggests auditors will judge controls differently depending on risk, frequency, and control criticality. A low-risk informational control may need lighter evidence than a control that protects payment systems or regulated production workloads. For NHI governance, the challenge is that static policies often look sound while runtime behaviour changes faster than review cycles. The Ultimate Guide to NHIs — Key Challenges and Risks explains why excess privilege and poor secret hygiene often undermine the very evidence auditors need. For broader governance context, Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs shows where lifecycle controls usually fail.
One common edge case is inherited control reliance, where a platform team assumes the cloud provider or vault tool makes the control effective by default. In reality, the organisation still has to prove correct configuration, continuous monitoring, and exception handling. Another is compensating controls: a documented backup control may help design effectiveness, but unless it is tested and evidenced, it does not establish operating effectiveness. Practitioners should treat this as an evidence problem first and a documentation problem second.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0 set the technical controls, and DORA define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| DORA | DORA requires demonstrable resilience, not just documented controls. | |
| NIST CSF 2.0 | PR.IP | Protective processes must be implemented and evidenced, not only documented. |
| OWASP Non-Human Identity Top 10 | NHI-08 | NHI evidence gaps often appear in secret handling, rotation, and access proof. |
Automate NHI logs and rotation evidence so auditors can verify control operation over time.
Related resources from NHI Mgmt Group
- What is the difference between attack surface management and NHI governance?
- What is the difference between reviewing human access and reviewing NHIs?
- What is the difference between role-based access and API key governance for NHI security?
- What is the difference between human IAM controls and NHI governance?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on May 16, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
