Subscribe to the Non-Human & AI Identity Journal
Home FAQ Why do large events create such a difficult…

Why do large events create such a difficult risk picture for identity and access teams?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 10, 2026

Large events multiply trust relationships across borders, organisations, and technology stacks, which makes identity governance harder to see and enforce. Teams must manage direct users, temporary workers, vendors, and downstream dependencies at the same time. That complexity makes access review, privilege scope, and offboarding discipline critical, because the number of identities involved is much larger than most organisations expect.

Why This Matters for Security Teams

Large events turn identity into a temporary ecosystem, not a static directory problem. Access teams have to account for sponsors, contractors, volunteers, vendors, broadcasters, venue staff, and system-to-system connections that appear only for a short window. That makes joiner-mover-leaver discipline, privilege scoping, and exception handling far more important than ordinary day-to-day operations. The risk is not just overprovisioning. It is also fragmented ownership, weak evidence of approval, and inconsistent offboarding across organisations.

That matters because event environments often bridge corporate IAM, physical access, SaaS tooling, cloud platforms, and shared operational systems. When those layers are not aligned, teams lose confidence in who can access what, for how long, and under whose authority. NHI Management Group’s Ultimate Guide to NHIs notes that 92% of organisations expose NHIs to third parties, which is a useful warning for event programmes that depend heavily on external partners.

In practice, many security teams only discover the full access sprawl after a partner account, shared credential, or dormant service identity has already been abused.

How It Works in Practice

The core challenge is that event access is usually assembled from many small decisions rather than one controlled process. A badge may unlock a venue gate, a contractor portal, a data dashboard, and a chat workspace, while an API key may connect registration systems, payment tools, and logistics platforms. Security teams therefore need a joined-up view of human and non-human identities, because identities often outnumber formal owners and can persist long after the event ends.

Current guidance suggests treating event onboarding like a time-boxed trust programme. That means defining the minimum identity attributes needed, issuing access by role, and tying every entitlement to an expiry date and a named sponsor. It also means reviewing which systems rely on shared secrets, and replacing those where possible with short-lived credentials and stronger verification. The OWASP Non-Human Identity Top 10 is especially relevant here because temporary integrations are often where secrets sprawl, privilege creep, and missing offboarding show up first.

  • Map every user, vendor, and integration to a business owner before access is granted.
  • Set explicit start and end dates for all event-related accounts and tokens.
  • Separate physical access decisions from logical access decisions, then reconcile them.
  • Rotate or revoke secrets immediately after the event closes, not during a later cleanup cycle.

NHIMG’s Top 10 NHI Issues highlights how quickly third-party exposure and excessive privilege can accumulate when governance is deferred to operations. These controls tend to break down when multiple organisers share the same admin consoles, because ownership, logging, and offboarding responsibilities become ambiguous.

Common Variations and Edge Cases

Tighter access controls often increase coordination overhead, requiring organisations to balance speed of delivery against assurance and auditability. That tradeoff is most visible in events that involve media production, public-private partnerships, or cross-border attendance, where last-minute changes are common and approval chains can become slow. Best practice is evolving here, and there is no universal standard for how much temporary access should be pre-approved versus approved just in time.

One common edge case is the use of shared operational accounts for venues, staging, or broadcast equipment. Those accounts are convenient, but they obscure accountability and complicate revocation. Another is delegated administration, where a sponsor grants access to a third party who then provisions downstream users. In those cases, the identity team needs evidence of who is accountable for each downstream entitlement, not just who requested it.

For larger programmes, it is also important to distinguish between event-only risk and enduring supply chain risk. Event access often exposes broader dependencies in ticketing, content delivery, analytics, and badge printing systems. That is why current guidance from NIST CSF 2.0 and the security control catalogue in NIST Cybersecurity Framework 2.0 and NIST SP 800-53 Rev 5 Security and Privacy Controls remains useful, but it must be applied to temporary identities as rigorously as permanent ones.

The hardest failures occur when the event ends but the access model does not, leaving partner accounts, API keys, and shared credentials live in production environments.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.ACEvent access sprawl maps to identity and access control governance.
NIST SP 800-53 Rev 5AC-2Temporary users and contractors need lifecycle control from issuance to revocation.
OWASP Non-Human Identity Top 10Event integrations often rely on secrets and service accounts that outlive the event.

Define, approve, and review all event identities and entitlements under a single access control process.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org