Subscribe to the Non-Human & AI Identity Journal
Home FAQ Cyber Security Why do unrevoked credentials increase the risk of…
Cyber Security

Why do unrevoked credentials increase the risk of lateral movement?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 11, 2026 Domain: Cyber Security

Unrevoked credentials keep expired trust alive. Once an attacker or insider obtains a still-valid token, service account, or email session, they can often use that access to move into adjacent systems that were assumed to be safe. The risk is highest where credentials outlive the business reason for creating them.

Why This Matters for Security Teams

Unrevoked credentials create a trust gap between what the organisation believes is disabled and what an attacker can still use. That matters because lateral movement rarely begins with a loud exploit. It often starts with legitimate access that should have been retired, then expands through shared admin paths, service dependencies, or stale session tokens. The NIST Cybersecurity Framework 2.0 is useful here because it treats access control, asset visibility, and response as linked disciplines rather than isolated tasks.

Security teams often focus on password hygiene while overlooking the wider lifecycle of tokens, API keys, certificates, SSH keys, service accounts, and email sessions. That is a problem because many of these credentials do not behave like human logins. They may persist across cloud consoles, CI/CD pipelines, SaaS tenants, and internal applications long after the original user, workload, or vendor relationship has changed. In NHI environments, the issue is even more pronounced because machine identities are frequently created for convenience and then left to accumulate trust.

In practice, many security teams encounter lateral movement only after a forgotten credential has already been used to traverse systems that were assumed to be isolated.

How It Works in Practice

Once a credential remains valid beyond its intended life, it becomes a reusable foothold. An adversary who obtains it does not need to break in again. They can authenticate, inherit the associated permissions, and then look for adjacent systems that trust the same identity, the same directory, or the same access pattern. This is why unrevoked credentials are closely tied to credential abuse techniques described in the MITRE ATT&CK Enterprise Matrix, especially when valid accounts or stolen session material are used to avoid detection.

In operational terms, the risk grows when organisations have long-lived credentials, weak inventory of where they are used, or incomplete offboarding. Common paths include:

  • service accounts with broad application or database access
  • API keys embedded in CI/CD pipelines or automation scripts
  • refresh tokens that survive password resets
  • SSH keys and certificates with no enforced expiration
  • email or SaaS sessions that remain active after device compromise

Good practice is to bind each credential to a specific purpose, owner, scope, and expiry date. That aligns with OWASP Non-Human Identity Top 10 guidance on machine identity governance, which emphasises inventory, least privilege, rotation, and revocation. For human identities, lifecycle discipline should also reflect NIST SP 800-63 Digital Identity Guidelines, especially where session assurance and reauthentication are part of the control design.

Practically, teams should be able to answer four questions quickly: who owns the credential, what systems trust it, when it expires, and how revocation propagates across dependencies. These controls tend to break down when credentials are reused across multiple environments without central inventory, because revocation in one place does not reach every downstream trust relationship.

Common Variations and Edge Cases

Tighter credential control often increases operational overhead, requiring organisations to balance security against service continuity. That tradeoff is especially visible in legacy systems, batch jobs, and third-party integrations where immediate revocation can interrupt business processes.

Current guidance suggests that not every credential should be treated the same way. Short-lived tokens, just-in-time access, and certificate automation reduce exposure, but best practice is still evolving for environments that mix modern cloud controls with older infrastructure. For example, revoking a single user session may not invalidate cached credentials in downstream apps, and rotating one secret may leave duplicate copies in code repositories or backup systems.

There is also a difference between blocking new use and eliminating existing trust. A disabled account may no longer log in interactively, yet an active OAuth token, mailbox rule, or delegated application grant can still support movement if it is not explicitly revoked. That is why revocation should be tested, not assumed. Teams should validate that identity providers, SaaS platforms, endpoint agents, and secret stores all honour termination events in a timely way. The control intent also maps well to NIST SP 800-53 Rev 5 Security and Privacy Controls for account management and access enforcement.

In regulated or highly interconnected environments, the hardest case is not the obvious admin credential. It is the low-visibility machine identity or session token that nobody thinks to revoke until post-incident analysis shows it was the bridge into more sensitive systems.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AAIdentity and access management controls reduce exposure from lingering credentials.
OWASP Non-Human Identity Top 10NHI-03Machine identity lifecycle gaps are a core cause of stale, reusable credentials.
MITRE ATT&CKT1078Valid accounts are a common path for attacker movement after credential compromise.
NIST SP 800-63IAL/AALSession assurance and authentication strength matter when credentials remain active too long.
NIST SP 800-53 Rev 5AC-2Account management requires timely disablement and removal of obsolete access.

Use reauthentication, session limits, and assurance checks to reduce the value of stale access.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org