A request workflow becomes a governance risk when it approves access faster than the organisation can verify need, ownership, and revocation. That usually happens when the workflow is disconnected from lifecycle events, so access remains active after role changes or offboarding. Speed without lifecycle control creates entitlement drift.
Why This Matters for Security Teams
Request workflows look safe because they feel controlled: someone asks, someone approves, and access is granted. The governance risk starts when approval becomes the primary control instead of a checkpoint inside a broader identity lifecycle. That is how organisations end up with access that is technically authorised but operationally stale, especially when joiner, mover, and leaver events are not tied back to entitlement review and revocation.
This is a recurring pattern in NHI programs as well as human access management. NHIMG’s Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs and Top 10 NHI Issues both emphasize that lifecycle control is what separates governed access from entitlement drift. That risk becomes more visible when workflows are built for speed, but not for revocation, ownership validation, or periodic re-attestation. NIST’s NIST Cybersecurity Framework 2.0 frames this as an ongoing identity and access governance problem, not a one-time ticketing event.
NHIMG research shows why the issue is not theoretical: in vendor research cited by NHI Management Group, lack of credential rotation is the top cause of NHI-related attacks for 45% of organisations, which is a strong signal that workflow approval alone is not enough to keep access governable.
In practice, many security teams discover the failure only after an offboarding review, an audit exception, or a dormant account is abused long after the original request was approved.
How It Works in Practice
A request workflow becomes a governance risk when it can approve, but cannot continuously prove that the request still matches the current business need. The workflow may capture requester, manager, and approver, yet still fail if it does not enforce ownership, expiry, and lifecycle triggers. Best practice is to connect the request system to authoritative sources such as HR, directory services, and application inventory so that access is reassessed when roles change or employment ends.
For NHI-heavy environments, this becomes even more important because service accounts, API keys, tokens, and certificates often outlive the human request that created them. A workflow may issue a secret, but governance requires that the secret be time-bound, scoped, monitored, and revoked automatically when the workload changes. Current guidance suggests treating approval as only one event in a chain that includes validation, issuance, monitoring, and cleanup. That aligns with NIST CSF access governance and the lifecycle focus in NHIMG’s Ultimate Guide to NHIs — Regulatory and Audit Perspectives.
- Use authoritative identity sources to confirm who or what is requesting access.
- Require business justification that is tied to a specific asset, environment, or task.
- Set expiry dates and revoke access automatically when the task or role ends.
- Reconcile approvals against actual entitlements on a recurring basis.
- Alert on approvals that bypass ownership, segmentation, or separation-of-duties checks.
Where this guidance breaks down most often is in fragmented environments with multiple ticketing tools, unmanaged service accounts, and no single revocation path because approvals are recorded, but lifecycle state is not.
Common Variations and Edge Cases
Tighter approval controls often increase operational friction, so organisations have to balance speed against revocation certainty. That tradeoff is real in engineering teams, emergency access processes, and automated provisioning pipelines where every extra checkpoint can slow delivery. Best practice is evolving toward risk-based approvals, but there is no universal standard for this yet.
One edge case is emergency access. A break-glass workflow may be justified, but it should still be time-boxed, logged, and reviewed after the event. Another is automated access for bots or agentic systems, where the request may not come from a human at all. In those cases, the request workflow should validate workload identity, expected behaviour, and scope of action rather than relying on manager approval alone. The same principle applies to third-party integrations and delegated admin access, where approval can look legitimate while the underlying credential remains over-privileged. NHIMG’s Ultimate Guide to NHIs — Why NHI Security Matters Now reinforces that security value comes from continuous governance, not from the approval event itself.
For audit and control design, the practical test is simple: if a workflow cannot prove who owns the access, why it still exists, and when it will disappear, it has become a governance risk.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access approvals must be tied to least privilege and lifecycle governance. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Workflows that miss rotation and revocation create NHI entitlement drift. |
| NIST AI RMF | Governance risk emerges when accountability and oversight fail across workflows. |
Use AI RMF governance practices to assign ownership, reviewability, and continuous oversight.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
