Service accounts and certificates matter because they often carry privileged access without the visibility humans get through login workflows. If they are not inventoried, owned, and rotated, they become persistent access paths that are hard to evidence in an assessment and easy to overlook in day-to-day operations.
Why This Matters for Security Teams
service account and certificates are not just infrastructure details, they are machine identities that can hold privileged access, bypass interactive login controls, and persist long after the people who created them have moved on. That makes them highly relevant to CMMC readiness, because assessors need evidence of ownership, lifecycle control, and least privilege, not just proof that humans use MFA.
NHIMG’s research shows why this is hard in practice: only 5.7% of organisations have full visibility into their service accounts, and 71% of NHIs are not rotated within recommended time frames. The result is an evidence problem as much as a security problem. If a service account can authenticate to production, CI/CD, or managed infrastructure, it must be treated as an accountable asset, not an unnamed technical dependency. Current guidance from the NIST Cybersecurity Framework 2.0 aligns with that approach by emphasising governed access, asset visibility, and lifecycle discipline.
In practice, many security teams encounter failed audit evidence only after a certificate expires, a service account is discovered in a shared script, or a “temporary” integration has been running for years without an owner.
How It Works in Practice
CMMC readiness improves when service accounts and certificates are managed as inventory-backed, owned, and reviewable identities. The practical sequence is straightforward: identify every service account, map each one to a business purpose, assign an accountable owner, and classify the access it can exercise. Certificates should be tied to that same inventory so teams can prove where they are issued, where they are used, and when they expire.
For machine identities, the main control points are rotation, scope reduction, and evidence. Rotation is not only about password hygiene. For certificates, it means short validity periods, automated renewal, and revocation processes that actually work when a system is decommissioned or a workload changes. For service accounts, it means eliminating shared accounts where possible, using unique identities for each workload, and removing standing privileges that are broader than the task requires. The Ultimate Guide to NHIs — What are Non-Human Identities is a useful reference point for this lifecycle view, especially where organisations need to translate identity governance into operational control.
A useful evidence package for assessors usually includes:
- An inventory of service accounts and certificates with owners and systems of record
- Rotation or renewal records showing dates, TTLs, and automated enforcement
- Access reviews that confirm least privilege and remove orphaned access
- Decommission records for retired applications, scripts, and integrations
For certificates specifically, expiry is a major operational risk. SailPoint research cited by NHIMG notes that certificate expiry is the leading cause of outages for 45% of organisations, which makes certificate governance both a resilience issue and an audit issue. These controls tend to break down in highly distributed environments where certificates are issued by multiple teams, service accounts are embedded in code or pipelines, and no single owner can produce a complete lifecycle record.
Common Variations and Edge Cases
Tighter machine-identity control often increases operational overhead, requiring organisations to balance auditability against uptime and deployment speed. That tradeoff is real, especially in environments with legacy applications, shared middleware, vendor-managed appliances, or long-lived embedded certificates that cannot be changed on a normal sprint cadence.
Best practice is evolving, but current guidance suggests treating exceptions explicitly rather than letting them become hidden standard practice. For example, a legacy service account may need temporary standing access while a replacement is built, but that exception should still have an owner, expiry date, compensating monitoring, and documented approval. The same logic applies to certificates on air-gapped or fragile systems, where automated renewal may not be possible. In those cases, teams should at least maintain a renewal calendar, test replacement procedures, and keep revocation paths documented.
Edge cases also include service accounts used by third parties, CI/CD tools, and managed services. These often sit outside normal user access reviews, which is why they are so often missed during assessments. The 52 NHI Breaches Analysis is a reminder that machine-identity failures are not theoretical, and the Sisense breach shows how exposure can cascade when a non-human identity is not tightly governed.
For CMMC readiness, the practical rule is simple: if a service account or certificate can authenticate, authorize, or automate access, it needs the same level of ownership and evidence discipline as any other controlled asset.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers lifecycle and rotation of service accounts and certificates. |
| NIST CSF 2.0 | PR.AC-1 | Identity and access control applies directly to non-human identities. |
| NIST AI RMF | Governance and accountability principles support controlled machine identity use. |
Establish ownership, monitoring, and lifecycle accountability for all machine identities in regulated environments.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 7, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
