They weaken IAM when routing, approval, and closure are treated as process convenience instead of control design. If approvers lack context, if access is granted without recertification, or if offboarding is not linked to the original request, the system creates visibility without lifecycle enforcement. The request may be tracked perfectly while the entitlement remains risky.
Why This Matters for Security Teams
Service request workflows are often treated as a ticketing problem, but the security failure usually happens when the workflow becomes the control itself. A well-logged request does not equal a well-governed entitlement if approval is disconnected from privilege scope, time limits, or revocation. NIST Cybersecurity Framework 2.0 makes the point plainly: identity and access controls must support enforcement, not just recordkeeping, which is why process visibility alone does not close the risk gap.
In NHI environments, the gap is sharper because service account, API keys, and automation identities can persist long after the request that created them. NHIMG data shows only 20% of organisations have formal processes for offboarding and revoking API keys, and even fewer rotate them consistently, which helps explain why workflows can create a false sense of control. The result is an access trail that looks governed while the actual entitlement remains active, broad, or unmanaged. In practice, many security teams encounter this only after a stale request has already become an enduring privilege.
How It Works in Practice
A secure request workflow should be designed as an access lifecycle, not a handoff queue. The request should define who or what needs access, what resource is being requested, why the access is needed, how long it should last, and what event will trigger removal. That is the operational difference between process convenience and control design.
For service accounts and other NHIs, current guidance suggests pairing approvals with workload identity, short-lived credentials, and explicit expiration. Instead of granting a long-lived secret when a ticket is approved, the workflow should trigger just-in-time provisioning, issue a scoped token or certificate, and revoke it automatically when the task ends. This is where NHI governance and workflow design overlap: the approval is only the start of the control, not the end.
Practitioners should also ensure that the workflow enforces review at the right points:
- approval must map to a named resource and a defined privilege set, not a generic role
- closure must revoke access, not merely close the ticket
- recertification must confirm continued need, especially for standing service accounts
- offboarding must trace back to the original request so orphaned access cannot survive team changes
NHIMG research on Ultimate Guide to NHIs — Standards is useful here because it frames lifecycle, rotation, and offboarding as governance requirements rather than administrative cleanup. For a related failure mode, Azure Key Vault privilege escalation exposure shows how overbroad access can turn a routine control path into an escalation path. These controls tend to break down when requests are approved across hybrid pipelines with no authoritative owner for revocation, because the ticket system and the identity system drift out of sync.
Common Variations and Edge Cases
Tighter request controls often increase operational overhead, so organisations have to balance speed against assurance. That tradeoff becomes visible in environments where access is requested frequently, approvals are distributed across teams, or service accounts are created automatically by CI/CD tools.
There is no universal standard for every workflow pattern yet, but best practice is evolving toward context-aware approvals and policy checks at execution time. For high-volume automation, a manual approval step for every credential may be impractical, so the better pattern is policy-as-code with predefined guardrails, bounded TTLs, and automatic revocation. For low-risk internal tools, a lighter approval path may be acceptable if the entitlement is still time-bound and reviewable.
Two edge cases deserve special attention. First, shared service accounts often defeat request workflows because no single owner can attest to need or revoke access confidently. Second, delegated approval chains can weaken control when approvers are asked to validate business justification without seeing the actual privilege scope. In both cases, the workflow records intent but fails to enforce least privilege. The practical lesson is that request systems should be tied to entitlement lifecycle controls, not treated as a substitute for them. NHIMG’s Ultimate Guide to NHIs is a strong reference point for aligning request, rotation, and offboarding decisions with real access enforcement.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Request workflows must not leave NHI credentials alive after approval ends. |
| NIST CSF 2.0 | PR.AC-4 | Weak workflows fail when access approval is not enforced as least privilege. |
| NIST AI RMF | Context-aware decisioning is needed when workflows must adapt to runtime access needs. |
Tie every request to TTL-based issuance and automatic revocation when access is no longer needed.
Related resources from NHI Mgmt Group
- What is the difference between human IAM controls and NHI governance?
- Why do endpoint device controls matter to IAM and governance teams?
- How should teams govern access to regulated data across privacy and IAM workflows?
- What breaks when application controls do not cover service accounts and integrations?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 9, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
