Because insurers increasingly want proof that access is controlled, monitored, and explainable. Unmanaged devices and apps undermine that proof by bypassing posture checks, identity logs, and policy enforcement. The result is not only higher exposure to breach claims, but weaker negotiating position during underwriting and renewal.
Why This Matters for Security Teams
Unmanaged devices and applications create insurance risk because they break the evidence chain insurers increasingly expect: who accessed what, from where, under which controls, and whether those controls were enforced continuously. If a laptop is not enrolled in endpoint management, or an app is not governed through approved identity and logging paths, the organisation cannot easily prove that access was constrained at the time of loss. That weakens underwriting posture and can complicate claims review.
This is especially visible in environments where non-human identities and secrets are already under pressure. NHI Management Group research shows that only 5.7% of organisations have full visibility into their service accounts, while 97% of NHIs carry excessive privileges, which makes unmanaged access paths harder to detect and harder to defend. The broader risk picture is reinforced in the Ultimate Guide to NHIs — Key Challenges and Risks and the Top 10 NHI Issues, which show how quickly ungoverned access can become a control failure rather than just a hygiene issue.
Insurers and auditors do not need perfect security, but they do expect defensible control. In practice, many security teams encounter coverage friction only after a claim, when logs, device posture, and application ownership are already too incomplete to reconstruct the event.
How It Works in Practice
Underwriters usually assess unmanaged devices and apps as a signal that the organisation cannot consistently enforce access policy. The concern is not merely that a device is personally owned or an application is shadow IT. The concern is that these assets often sit outside the control plane used to verify compliance, rotate credentials, monitor sessions, and revoke access quickly after a security event.
Good practice is to reduce that uncertainty with identity-first controls and provable governance. The Lifecycle Processes for Managing NHIs are a useful reference point because insurers increasingly respond to lifecycle discipline: onboarding, approval, rotation, offboarding, and monitoring. On the technical side, NIST Cybersecurity Framework 2.0 reinforces that access control and continuous monitoring are core risk management functions, not optional extras.
- Require managed endpoints for sensitive access, with posture checks before granting access.
- Route application access through approved identity providers and central logging.
- Inventory service accounts, API keys, and machine users so they can be tied to ownership and business purpose.
- Replace standing credentials with time-bound access where possible, especially for third-party tools and admin actions.
- Retain logs that show policy enforcement, not just authentication success.
For insurers, the strongest evidence is not a policy document but an operational trail showing that access was controlled, monitored, and reversible. That is why unmanaged devices and apps become a pricing and claims issue, not just a security exception. These controls tend to break down when contractors, mergers, or rapid SaaS adoption create parallel access paths that security teams never fully onboard into the main identity program.
Common Variations and Edge Cases
Tighter device and application control often increases friction for users and administrators, requiring organisations to balance coverage expectations against speed of adoption and third-party access. That tradeoff becomes sharper in BYOD, remote work, and partner ecosystems, where blanket bans are unrealistic but weak exception handling is expensive.
Best practice is evolving, and there is no universal standard for this yet. Some insurers focus heavily on managed endpoints, while others care more about demonstrable identity controls, log retention, and revocation speed. The pragmatic answer is to classify unmanaged devices and apps by risk tier rather than treat every exception the same. A low-risk collaboration app may be tolerable with limited data access, while an unmanaged admin console or secrets-bearing integration should be treated as a material exposure.
External events also matter. Guidance from CISA cyber threat advisories is a useful reminder that attackers routinely exploit weak identity boundaries, stale credentials, and poorly governed remote access. For organisations mapping insurance readiness, the practical benchmark is whether unmanaged access can be detected, constrained, and revoked quickly enough to limit loss. When those capabilities do not exist, the insurance conversation shifts from coverage quality to exception management.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Unmanaged apps often rely on stale credentials and weak rotation discipline. |
| NIST CSF 2.0 | PR.AC-4 | Controls access based on identity and policy, which unmanaged devices bypass. |
| NIST AI RMF | Governance and measurement support explainable access decisions for insurers. |
Inventory all machine identities and rotate or revoke secrets when ownership or device trust is unclear.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
