Business owners, IT, finance, and identity governance should share the decision, but the access evidence has to come from the identity side. Without a trusted view of who has access, who is using the app, and who left the organisation, software rationalisation becomes guesswork.
Why This Matters for Security Teams
software rationalisation sounds like a procurement or IT cleanup exercise, but in an identity-led programme it becomes an access governance problem. The real question is not just whether an application is licensed or redundant, but whether it still has active users, service accounts, API keys, and privileged integrations. NIST frames this as a governance and asset-management discipline in the NIST Cybersecurity Framework 2.0, while NHIMG research shows why identity evidence cannot be optional: only 5.7% of organisations have full visibility into their service accounts, and 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
That matters because rationalisation decisions made without identity evidence often remove the wrong thing, leave dormant access behind, or miss shadow dependencies embedded in automation. A business owner may know an app is no longer strategic, but only identity and access data can show whether it is still in use, by whom, and through which non-human identities. The better the inventory, the safer the decision. The weaker the visibility, the more likely the programme creates control gaps while claiming efficiency. In practice, many security teams discover these gaps only after a decommissioning effort breaks downstream workflows or a forgotten integration remains live.
How It Works in Practice
Ownership should be shared, but not flattened. Business owners usually decide whether the software still has a valid business purpose. IT confirms technical dependencies and retirement feasibility. Finance validates cost, contract timing, and savings. Identity governance supplies the evidence that makes the decision defensible: who has access, whether the application has active human users, and whether service accounts, tokens, or API keys still authenticate to it.
In a mature process, the identity team produces an access evidence pack before rationalisation decisions are finalised. That pack typically includes:
- Current user population and last access dates
- Privileged entitlements and role assignments
- Non-human identities tied to the application, including service accounts and integrations
- Orphaned or inactive accounts that suggest hidden dependencies
- Authentication method, token lifespan, and rotation status
This is where NHIMG guidance is especially relevant. The Ultimate Guide to NHIs highlights the broader governance reality: NHIs outnumber human identities by 25x to 50x in modern enterprises, and 71% are not rotated within recommended time frames. Those patterns matter during rationalisation because a “retired” app can still be supported by long-lived credentials that survive well beyond the business decision.
For evidence gathering, security teams should align to NIST Cybersecurity Framework 2.0 governance and asset-management outcomes, then tie the findings to access review and deprovisioning workflows. If the app is approved for retirement, identity governance should trigger revocation of entitlements, service account disablement, secret rotation, and integration cleanup. If the app is retained, access should be reduced to the minimum needed and reassessed on a fixed cadence.
These controls tend to break down when application ownership is unclear and machine-to-machine access is spread across scripts, CI/CD pipelines, and unmanaged secrets stores.
Common Variations and Edge Cases
Tighter rationalisation governance often increases coordination cost, requiring organisations to balance faster cost reduction against the risk of breaking active business workflows. That tradeoff becomes sharper in hybrid estates, where a legacy application may appear unused from a human-access perspective but still support batch jobs, partner APIs, or embedded automation. Current guidance suggests identity evidence should override opinion in these cases, but there is no universal standard for exactly how much evidence is enough before a decommissioning decision.
One common edge case is the “orphaned but critical” application: no visible users remain, yet a service account still authenticates nightly from another system. Another is the “shared account” problem, where rationalisation teams cannot map usage cleanly because multiple people or automations share a credential. A third is the SaaS licence case, where finance wants immediate savings but identity logs show active use through delegated access or external collaboration.
NHIMG’s 52 NHI Breaches Analysis is a useful reminder that hidden machine access is often the part organisations miss until after the fact. For that reason, the safest operating model is not “identity decides,” but “identity proves.” Business, IT, and finance should own the decision together, while identity governance owns the access evidence and the revocation path. Without that split, rationalisation can create false confidence: a lower software count on paper, but the same or greater exposure in practice.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OC-1 | Rationalisation needs clear business context and ownership to judge app value. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Hidden service accounts and tokens are central to rationalisation evidence. |
| NIST AI RMF | GOVERN | Identity-led decisions need governance, accountability, and traceable evidence. |
Document each app's business purpose and assign accountable decision owners before retirement.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 12, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
