Visibility first. Workflow automation only works when the organisation can accurately discover accounts, permissions, and application relationships. Without that foundation, automation can accelerate bad decisions by applying clean process to incomplete data.
Why This Matters for Security Teams
Identity governance and administration succeeds or fails on data quality. If the organisation cannot reliably discover accounts, entitlements, service identities, and application relationships, workflow automation simply industrialises blind spots. That is especially dangerous for NHIs, where access paths are often inherited, inherited again, and rarely reviewed with the same discipline applied to human users. Current guidance from NIST Cybersecurity Framework 2.0 NIST Cybersecurity Framework 2.0 still places inventory, governance, and access control before optimisation.
NHI Management Group research shows why visibility comes first: only 5.7% of organisations have full visibility into their service accounts, while 97% of NHIs carry excessive privileges, increasing the likelihood that automated approvals will preserve risky access rather than remove it. The practical issue is not whether automation is useful, but whether the programme can trust the source of truth enough to automate safely. In practice, many security teams encounter workflow failure only after a clean approval path has already propagated bad entitlements across production systems.
How It Works in Practice
The right sequence is discover, normalise, then automate. Visibility means building a current inventory of accounts, credentials, roles, entitlements, owners, and the applications each identity can reach. For NHIs, that includes service accounts, API keys, tokens, certificates, and workload identities. The NHI Lifecycle Management Guide and the Ultimate Guide to NHIs - Key Challenges and Risks both emphasise that lifecycle control depends on knowing what exists before deciding how it should be approved, recertified, or revoked.
In operational terms, teams typically prioritise:
- Discovery of all human and non-human accounts across cloud, SaaS, CI/CD, and infrastructure.
- Ownership mapping so every identity has a business or technical steward.
- Entitlement correlation to show which permissions are actually used versus merely granted.
- High-risk cleanup for stale accounts, orphaned keys, and excessive privileges.
- Only then, workflow automation for provisioning, recertification, and deprovisioning.
That ordering matters because automation is only as accurate as the upstream data model. If application ownership is unknown, if service accounts are hidden in code or pipeline secrets, or if entitlement relationships are manually inferred, approval workflows will produce fast but unreliable decisions. Best practice is evolving toward policy-driven automation, but that still depends on a trustworthy inventory and clear decision inputs. The NIST Cybersecurity Framework 2.0 reinforces this by tying governance to identified assets and managed access rather than to process speed alone. These controls tend to break down when identities are created directly by applications or pipelines because the workflow engine cannot reliably see the full access chain.
Common Variations and Edge Cases
Tighter automation often increases administrative overhead at the start, requiring organisations to balance speed against discovery effort. In mature environments, some low-risk joiner-mover-leaver flows can be automated earlier, but that is usually an exception rather than the operating model. The general guidance is that automation can be introduced in parallel with visibility work, yet it should not be the first control used for high-risk entitlements or NHIs.
There are edge cases where partial automation is justified, such as SaaS connectors that expose clean entitlement APIs or cloud platforms with strong identity metadata. Even then, current guidance suggests limiting automation to bounded scopes until the organisation can validate completeness. Otherwise, workflow automation can mask missing owners, duplicate accounts, and dormant access, especially where secrets are stored outside a managed vault or where contractors and third parties create shadow identities. NHI Management Group research shows the scale of this problem: 71% of NHIs are not rotated within recommended time frames, so automated recertification without discovery can simply re-approve stale access instead of fixing it.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Identity discovery is prerequisite to governing non-human access safely. |
| NIST CSF 2.0 | ID.AM | Asset management requires knowing identities and relationships before automation. |
| NIST AI RMF | GOVERN | Governance requires reliable data inputs before process automation can be trusted. |
Establish governance, accountability, and data-quality checks before automating identity decisions.
Related resources from NHI Mgmt Group
- Should organisations prioritise external exposure or internal credential governance first?
- How do organisations decide whether to prioritise secrets management or access governance first?
- What should teams prioritise first in compliance automation projects?
- How should security teams choose between workflow automation and access governance in IGA platforms?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
