Because these programmes often depend on connectors and known accounts, while telecom operations contain many identities outside standard coverage. When IGA sees only part of the estate, and PAM only manages the accounts it knows about, regulators will still see an incomplete control picture.
Why Telecom Regulations Expose IAM and PAM Gaps
Telecom rules expose weaknesses because regulated environments rarely match the neat boundaries assumed by legacy IAM and PAM. Network elements, orchestration platforms, OSS/BSS integrations, field tools, vendor access paths, and service accounts often sit outside the connector coverage that IGA and PAM depend on. That means the programme can look complete in a review while still missing entire identity classes that regulators expect to be controlled.
This is a visibility problem as much as an access problem. NHIMG research shows only 5.7% of organisations have full visibility into their service accounts, and 88.5% say non-human IAM lags human IAM efforts in maturity. When regulators ask who can access what, the answer often depends on whether the account was discovered, onboarded, and mapped correctly. See the Ultimate Guide to NHIs — Regulatory and Audit Perspectives and the NIST Cybersecurity Framework 2.0 for the control expectation around asset visibility and access governance.
In practice, many security teams discover the gap only after an audit request forces them to enumerate identities that their own tooling never fully tracked.
How It Works in Practice
Telecom environments tend to break traditional IAM and PAM assumptions in three ways. First, they contain many machine identities that are not tied to a person, role, or standard joiner-mover-leaver process. Second, access often changes with operations context such as maintenance windows, vendor interventions, emergency changes, or service restoration. Third, the estate is distributed across on-prem platforms, cloud services, edge deployments, and third-party systems, so a single source of truth is difficult to maintain.
That is why current guidance suggests treating non-human access as a lifecycle problem, not just a login problem. The control objective is to discover identities, classify them by business service, understand where secrets live, and enforce short-lived access where possible. NHIMG’s Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs is useful here, especially because long-lived credentials are hard to justify in high-change telecom operations. A practical programme usually combines:
- continuous discovery of service accounts, API keys, certificates, and automation identities
- central secret storage with rotation and revocation workflows
- least-privilege mapping to actual service functions rather than generic job roles
- conditional elevation for break-glass or maintenance access
- audit evidence that ties each identity to an owner, service, and expiry rule
Implementation is strongest when identity governance and privileged access are joined to asset management and change control, not run as separate queues. The challenge is not just approving access, but proving the estate was complete when the access decision was made. These controls tend to break down in highly automated telecom stacks with nested vendor tooling because discovery, ownership, and revocation often occur in different systems.
Common Variations and Edge Cases
Tighter control often increases operational overhead, requiring organisations to balance regulatory certainty against service uptime and change speed. That tradeoff is especially visible in telecom, where emergency restoration, field engineering, and partner-managed infrastructure can make strict pre-approval workflows impractical.
Best practice is evolving, but there is no universal standard for every telecom scenario yet. Some access must remain exception-based, with compensating controls such as short-lived credentials, session recording, and post-event review. Other identities, especially automation accounts and API keys, should be redesigned out of the environment where possible. NHIMG data shows 71% of NHIs are not rotated within recommended time frames and 97% carry excessive privileges, which helps explain why inherited access models persist long after they should have been retired. See also the 52 NHI Breaches Analysis and the Anthropic report on AI-orchestrated cyber espionage for examples of how automation and tool access can compound exposure.
Regulatory programmes also need to separate “known but unmanaged” identities from truly hidden ones. The first usually indicates process failure, while the second indicates inventory failure. Telecom audits often expose both at once.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Discovery gaps are the core issue when telecom identities sit outside IAM coverage. |
| CSA MAESTRO | Telecom access spans distributed services, vendors, and automation across many planes. | |
| NIST AI RMF | Runtime access decisions and accountability matter when automated systems act at scale. |
Use AI RMF governance to document ownership, oversight, and lifecycle controls for automated access.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 23, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
