Because infrastructure changes and access changes usually happen together. If infrastructure is automated but permissions are handled manually, the result is inconsistency and audit gaps. Linking the two gives security teams a single change path for infrastructure, access, and evidence, which makes governance easier to sustain as environments grow.
Why This Matters for Security Teams
Infrastructure as code only delivers repeatable change if identity and access are repeatable too. When a Terraform plan, a Kubernetes deployment, or a cloud policy update lands without an equal update to permissions, teams create drift between what exists and what can be touched. That drift is where audit gaps, privilege creep, and emergency exceptions accumulate. NIST SP 800-53 Rev 5 Security and Privacy Controls frames access control and configuration management as linked disciplines, not separate workflows.
This is especially visible in secret handling. NHIMG has documented how Azure Key Vault privilege escalation exposure can turn a narrowly scoped deployment mistake into broad secret access, and how stolen credentials in TruffleNet BEC Attack and Stolen AWS Credentials can move quickly when access is not tied to the actual infrastructure lifecycle. In the 2026 Infrastructure Identity Survey, 67% of organisations still relied heavily on static credentials despite the risks they pose to agentic AI deployments, which is a strong signal that change automation and identity governance are still being managed in silos. In practice, many security teams discover the mismatch only after a deployment has already shipped with overbroad access attached.
How It Works in Practice
The practical goal is to make infrastructure change and access change part of one controlled workflow. That usually means treating identity artifacts, secrets, service accounts, role bindings, and policy files as code alongside the workload definition. A pull request should describe not only what infrastructure is changing, but also what new permissions are required, what existing permissions can be removed, and what evidence will prove the result.
Common implementation patterns include:
- Provisioning roles, bindings, and service identities through the same repository that provisions the workload.
- Issuing short-lived secrets or tokens at deploy time instead of embedding static credentials in pipelines.
- Using policy-as-code checks to block deployments that request excessive permissions or violate separation of duties.
- Recording approvals, diffs, and runtime policy decisions as audit evidence tied to the change record.
For access control specifics, NIST guidance on least privilege and system configuration works best when paired with deployment automation, not layered on afterward. The same logic applies to non-human identities: identity should follow the workload, not the operator. That is why NHI teams increasingly align infrastructure definitions with ephemeral secret issuance and workload identity instead of long-lived manual grants. The maturity gap is real, though. NHIMG’s 2024 Non-Human Identity Security Report found that 88.5% of organisations said non-human IAM practices lag behind or are merely on par with human IAM, while 59.8% saw value in dynamic ephemeral credentials. These patterns become much stronger when paired with identity-aware controls defined in NIST SP 800-53 Rev 5 Security and Privacy Controls and enforced through the same pipeline that ships infrastructure. These controls tend to break down when legacy applications require shared static accounts because the access model cannot be expressed cleanly in code.
Common Variations and Edge Cases
Tighter coupling between infrastructure and IAM often increases pipeline complexity, so organisations have to balance speed against governance overhead. That tradeoff is worth making explicit, especially in hybrid estates where every platform exposes identities differently.
Current guidance suggests treating the following cases carefully:
- Legacy systems: Shared accounts and fixed service principals may not support clean IaC integration, so compensating controls and accelerated migration plans are needed.
- Cross-account or multi-cloud deployments: Identity relationships can span providers, which makes drift detection and access review harder unless policies are normalised.
- Emergency changes: Break-glass access should still be logged, time-limited, and reconciled back into code after the incident.
- Human plus machine workflows: Some organisations need separate approval paths for operators and automation, but the evidence should still land in one change record.
There is no universal standard for this yet, but the direction is clear: infrastructure change, secret rotation, and permission updates should converge into one auditable control plane. That approach is consistent with the risk patterns NHIMG has documented in both the Azure Key Vault exposure and the TruffleNet credential theft case, where access outlived the context that justified it. The more dynamic the environment, the more important it becomes to bind IAM changes to the same release process that manages infrastructure.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access governance must stay aligned with automated infrastructure change. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege is the core control that IaC and IAM must preserve together. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Static or unmanaged NHI credentials are a common failure mode in IaC pipelines. |
| NIST AI RMF | AI risk governance applies when automation changes infrastructure and access together. |
Set accountability, oversight, and monitoring for automated infrastructure and IAM decisions.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 9, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org