Start with discovery. Before any other investment, an organisation needs to know what NHIs it has. Run automated discovery across cloud IAM systems, Active Directory, secrets stores, CI/CD pipelines, and SaaS platforms. Produce a prioritised inventory ranked by risk: NHIs with privileged access to production systems, NHIs with unrotated credentials older than 90 days, and NHIs with no assigned owner. This inventory becomes the foundation for every subsequent governance activity.
Why This Matters for Security Teams
The right starting point is not policy drafting, tool buying, or privilege redesign. It is discovery, because organisations cannot secure what they cannot see. NHIs now outnumber human identities by 25x to 50x in modern enterprises, and hidden service accounts, API keys, and machine tokens often sit outside the normal access review process. The risk is compounded by weak rotation discipline, stale credentials, and shadow ownership gaps that turn routine automation into an attack path. NHI governance guidance in the Ultimate Guide to NHIs shows why inventory is the prerequisite for rotation, segmentation, and offboarding, while NIST Cybersecurity Framework 2.0 reinforces the broader expectation that asset identification comes before effective protection.
This matters because the most damaging NHI incidents often begin with identities that were never formally registered as assets. A discovery-first approach creates the evidence base for owner assignment, privilege scoping, and remediation prioritisation. In practice, many security teams encounter NHI exposure only after a credential leak, service outage, or cloud compromise has already made the risk visible, rather than through intentional governance.
How It Works in Practice
Discovery should span every place NHIs are created, stored, and used: cloud IAM, Active Directory, secrets managers, CI/CD pipelines, containers, SaaS integrations, and third-party OAuth apps. The goal is not just to count identities, but to classify them by function, sensitivity, environment, and lifecycle state. A useful first pass is to separate production-facing service accounts from build-time automation, then flag credentials with no clear owner, no recent use, or no documented rotation process.
From there, assign risk so teams can act in order. A practical prioritisation model is to elevate NHIs with privileged access, credentials older than 90 days, and any identity embedded directly in source code or deployment configuration. This is where findings from the Top 10 NHI Issues and the Ultimate Guide to NHIs — What are Non-Human Identities are useful: they show that over-privilege, poor visibility, and misplaced secrets are usually intertwined, not isolated problems. The research base also indicates that 96% of organisations store secrets outside secrets managers in vulnerable locations, which means discovery must include code repositories and pipeline variables, not only vaults.
- Build one inventory that covers runtime, build-time, and third-party NHIs.
- Tag each identity with owner, workload, environment, last rotation date, and privilege level.
- Separate secrets from identities so token sprawl is not mistaken for account sprawl.
- Use the inventory to drive rotation, least privilege, and offboarding queues.
Discovery also supports better reporting. The first dashboard should answer how many NHIs exist, where they live, who owns them, and which ones can reach production. These controls tend to break down when identity sprawl crosses cloud, SaaS, and CI/CD boundaries because no single platform sees the full credential lifecycle.
Common Variations and Edge Cases
Tighter discovery often increases operational overhead, requiring organisations to balance visibility against integration complexity. That tradeoff is real, especially in hybrid estates where legacy directories, SaaS connectors, and developer tooling expose different metadata quality. Current guidance suggests starting with the highest-risk domains first rather than waiting for perfect completeness, because there is no universal standard for full NHI inventory maturity yet.
Edge cases usually involve identities that are not obviously machine-owned: vendor-managed integrations, shared automation accounts, ephemeral build agents, and AI-driven workflows that call APIs on behalf of humans. These deserve extra scrutiny because ownership and authorisation can be unclear even when the credential itself is visible. The 52 NHI Breaches Analysis is useful here because it shows how small gaps in identity governance can cascade into broader compromise once one credential is reused or left unrotated. For teams aligning to current practice, the important point is not to chase exhaustive perfection on day one, but to establish a repeatable discovery cycle that feeds rotation, revocation, and owner assignment.
That is also where the limits of tooling become obvious. Discovery engines can surface signals, but they cannot decide ownership or acceptable exposure without business context. In organisations with fast-moving DevOps pipelines or autonomous agents, inventory must be treated as a living control, not a one-time project.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Discovery and inventory are the first step in NHI control coverage. |
| NIST CSF 2.0 | ID.AM | Asset management supports identifying identities before protecting them. |
| CSA MAESTRO | MAESTRO emphasizes governance and visibility for machine-driven workloads. |
Inventory every NHI, classify ownership and privilege, then use that map to drive rotation and least privilege.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on May 16, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
