Because they weaken the assumption that one person, one device, and one session are aligned. When multiple users share endpoints or staff alternate between enterprise and personal devices, session trust becomes harder to maintain and revoke cleanly. That creates more room for credential abuse, delayed detection, and unmanaged residual access.
Why This Matters for Security Teams
Shared workstations and mixed devices weaken the basic identity assumption that a session belongs to one known user on one known endpoint. In public safety settings, that matters because dispatch, records access, evidence review, and field operations often run across shift changes, hot desks, kiosks, and mobile devices. The result is not just inconvenience; it is a higher chance that authentication, session state, and device trust drift out of sync.
Current guidance suggests that identity risk rises when teams rely on static login events instead of continuous trust decisions. A credential used on a public terminal can be replayed by the next user, while a personal device may retain cached tokens, browser sessions, or unmanaged copies of sensitive data. NIST’s NIST Cybersecurity Framework 2.0 frames this as an asset and access governance problem, but the operational failure is usually more practical than theoretical: the device is not reliably tied to the person, and the session is not reliably tied to the task. NHIMG’s Ultimate Guide to NHIs notes that NHIs outnumber human identities by 25x to 50x, which is a reminder that mixed trust models create large, persistent identity surfaces.
In practice, many security teams encounter misuse of shared access only after a public terminal, remembered browser session, or copied token has already been used outside the intended shift.
How It Works in Practice
The risk is created by the combination of endpoint sharing and identity persistence. On a shared workstation, one user may authenticate, step away, and leave behind an active session, cached token, downloaded file, or browser auto-fill. On a mixed-device model, the same worker may alternate between a managed laptop, a rugged field tablet, and a personal phone, each with different controls, patch status, and data handling rules. That makes revocation harder because there is no single clean boundary for logout, certificate revocation, or session invalidation.
Practitioners should treat this as a continuous trust problem, not a one-time login problem. That usually means aligning identity with device posture and session context, then tightening access at the moment of use. Typical controls include:
- Short-lived sessions with automatic timeout and step-up reauthentication for sensitive actions.
- Device-bound authentication so a token cannot simply move to the next user or endpoint.
- Separate profiles or containers for enterprise and personal use to reduce cross-contamination.
- Rapid remote wipe or token revocation processes for lost, shared, or reassigned devices.
- Policy checks at login and at transaction time, not only at account provisioning.
For public safety environments, this should be paired with a realistic understanding of operational friction. Evidence systems, CAD tools, and mobile response workflows often need fast access under stress, so the control objective is to limit residual access without slowing emergency operations. NHIMG’s 52 NHI Breaches Analysis and the Key Challenges and Risks section both reinforce the same operational theme: weak lifecycle control becomes expensive when access is reused across contexts. These controls tend to break down when shared kiosks lack strong session isolation and when personal devices are allowed to retain enterprise tokens because revocation is not centrally enforced.
Common Variations and Edge Cases
Tighter device and session control often increases operational overhead, so organisations must balance speed of access against the need to prevent residual trust. That tradeoff is especially visible in public safety operations where shift handoffs, temporary assignments, and mutual aid create legitimate reasons for multiple users to touch the same endpoint.
Best practice is evolving, but a few patterns are clear. If a workstation is shared, it should behave like a controlled access point rather than a personal computer. That means non-persistent sessions, locked-down browsers, automatic logoff, and minimal local storage. If mixed devices are unavoidable, access decisions should depend on current device state, not just user identity. NIST’s identity guidance supports that direction, while the Top 10 NHI Issues highlights how persistent credentials and weak lifecycle hygiene amplify risk across any shared environment.
There is no universal standard for this yet across public safety IT, but the practical rule is simple: the more people and device types that can touch a session, the less reliable static trust becomes. Mixed environments need tighter timeout policies, stronger revocation, and clearer separation between managed and personal usage. Otherwise, the next authorized login can become the easiest path to unauthorized reuse.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Shared devices magnify stale credential and session-revocation risk. |
| NIST CSF 2.0 | PR.AC-4 | Access management must account for shared endpoints and mixed trust states. |
| NIST Zero Trust (SP 800-207) | SC-3 | Zero Trust requires continuous verification across users, devices, and sessions. |
Use short-lived credentials and enforce rapid revocation when sessions or devices change.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 24, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
