Ownership should sit with the business or process owner who can validate the asset’s purpose, while IT and security enforce the control. That split prevents orphaned tools from lingering after role changes and ensures unused assets are challenged during reviews rather than left to accumulate.
Why This Matters for Security Teams
Unused assets and licences are not just a cleanup task. They are a control ownership problem. When no single business or process owner is accountable, dormant SaaS seats, API subscriptions, service accounts, and premium capabilities can persist long after the business need ends. That creates unnecessary cost, but more importantly it creates residual access that security teams must still defend. The right ownership split is usually business validation plus IT or security enforcement, aligned to governance in the NIST Cybersecurity Framework 2.0.
NHI Management Group research shows why this matters: only 20% of organisations have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, while 97% of NHIs carry excessive privileges. That means unused assets often remain tied to credentials, permissions, or paid entitlements that can still be abused if left unattended. The control objective is not just cost recovery. It is to make sure somebody can answer whether the asset still has a legitimate purpose, and if not, remove it cleanly through an owned workflow. In practice, many security teams encounter licence sprawl only after an access review, an audit finding, or a breach exposes tools that no one remembered to retire.
How It Works in Practice
Best practice is to assign decision ownership to the business or process owner for each asset class, then require IT, security, or procurement to enforce the action. That split avoids a common failure mode: central teams can revoke access, but they cannot reliably determine whether a tool, licence, or integration still supports a live business process. The owner answers the question “should this still exist?”, while operations answer “how do we remove it safely?”
For NHIs and connected workloads, the same principle applies to service accounts, API keys, CI/CD tokens, and machine credentials described in the Ultimate Guide to NHIs. Ownership should be tied to the system or workflow consuming the credential, not to a generic IT queue. A practical review flow usually includes:
- Inventory the asset, licence, or secret and map it to a named business owner.
- Confirm whether the asset supports production, test, or no current use.
- Apply a revoke, downgrade, or reclaim action with an approval trail.
- Record a review date so the asset is challenged again at the next cycle.
For broader governance, the NIST Cybersecurity Framework 2.0 reinforces that accountability, asset management, and access control need clear ownership rather than ad hoc cleanup. This works best when the owner is measured on utilisation and business value, while security measures compliance with revocation, logging, and exception handling. These controls tend to break down when ownership sits in a shared mailbox or a generic platform team queue because nobody has authority to declare the asset unnecessary.
Common Variations and Edge Cases
Tighter ownership controls often increase operational overhead, requiring organisations to balance cleanup speed against approval friction. Not every unused asset should be treated the same way. A stale test licence, an abandoned contractor seat, and an orphaned production API key carry different business and security consequences, so the ownership model should reflect risk and context. Current guidance suggests that low-risk, low-cost items can be auto-expired after a review window, while higher-risk entitlements need explicit business sign-off before removal.
Edge cases usually appear when ownership is unclear because the original sponsor has left, a team has restructured, or the asset supports multiple departments. In those cases, the decision should escalate to the service owner, product owner, or application owner rather than defaulting to IT. If no accountable owner can be identified, the asset should be placed into a time-bound exception process rather than left active indefinitely. For NHIs, this is especially important because unused credentials can remain valid long after human owners assume they are harmless, and the same problem is documented across the Ultimate Guide to NHIs. The real-world failure point is usually not the removal action itself, but the absence of a named person who can justify keeping the asset alive.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | ID.AM-1 | Asset inventory ownership is the basis for deciding what should be kept or removed. |
| NIST CSF 2.0 | PR.AC-4 | Unused assets often retain access, so access governance must support revocation decisions. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Unused NHIs and credentials must be identified, owned, and revoked before they become orphaned. |
Map each non-human identity to a business owner and remove credentials when the supporting workflow is retired.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
