Subscribe to the Non-Human & AI Identity Journal
Home FAQ Governance, Ownership & Risk Why does Matter create new security governance issues…
Governance, Ownership & Risk

Why does Matter create new security governance issues for connected devices?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 10, 2026 Domain: Governance, Ownership & Risk

Matter standardises how devices connect, but it does not remove the need to decide which devices are trusted, how long that trust lasts, and how it is withdrawn. Those are governance questions, not protocol questions. Without lifecycle controls, interoperability can expand the attack surface faster than security teams can control it.

Why This Matters for Security Teams

Matter reduces one of the biggest adoption blockers for connected devices by standardising interoperability, but standardisation also makes governance decisions more visible. Security teams still need to decide which device classes are allowed, who can provision them, what trust anchors are acceptable, and how device access is revoked when a product is retired, resold, or compromised. Those are lifecycle and policy questions, not protocol features.

This matters because a shared device standard can scale both control and exposure. If onboarding is fast but ownership records, certificate state, and recovery procedures are weak, the environment can accumulate stale trust and unmanaged reach. That is the same pattern highlighted in NHIMG research on lifecycle management in the Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs, where operational trust outlives intended use unless it is actively governed. Current guidance suggests treating connected devices as identities with expiry, not just endpoints with firmware.

For broader control alignment, the NIST Cybersecurity Framework 2.0 is useful for mapping governance, inventory, protection, and recovery activities onto a connected-device program. In practice, many security teams discover Matter risk only after devices have already been deployed widely and ownership, revocation, and exception handling are still being improvised.

How It Works in Practice

In practice, Matter governance starts before devices are added to a network. Teams need device intake criteria, approved vendor lists, trust chain requirements, and a documented process for commissioning and decommissioning. Because Matter aims to make onboarding easier, the main control challenge is to ensure that ease of connection does not become permanent entitlement.

A practical governance model usually includes three layers:

  • Identity and trust establishment: define which certificates, fabrics, or controllers are authorised, and who can approve them.

  • Operational control: track device ownership, firmware status, support status, and whether the device is still in service.

  • Revocation and recovery: remove trust when devices are lost, transferred, retired, or show suspicious behaviour.

That approach aligns well with NHIMG guidance in the Top 10 NHI Issues, especially the recurring problems of credential sprawl, weak lifecycle visibility, and privilege that outlasts purpose. It also maps to the accountability expectations described in the Ultimate Guide to NHIs — Regulatory and Audit Perspectives, where auditability depends on knowing who approved access, when it was granted, and how it is withdrawn.

From a standards perspective, EU Cyber Resilience Act expectations reinforce the need for secure-by-design lifecycle controls, while NIST CSF 2.0 supports a repeatable governance model for inventory, access control, monitoring, and incident response. These controls tend to break down when consumer smart devices are mixed with enterprise-managed systems because ownership, update authority, and revocation paths are often inconsistent across product lines.

Common Variations and Edge Cases

Tighter device governance often increases onboarding effort and operational overhead, requiring organisations to balance interoperability gains against the cost of policy enforcement. That tradeoff is especially sharp in mixed environments where some devices support robust admin controls and others rely on consumer-style app pairing.

There is no universal standard for Matter governance maturity yet, so current guidance suggests adjusting control depth to the risk of the environment. A small office deployment may only need approved-device lists, firmware tracking, and periodic access review. A regulated or high-trust environment usually needs stronger separation of duties, formal exception handling, and revocation testing. The governance issue is not whether devices can connect, but whether their trust can be bounded.

Edge cases often appear when devices are transferred between owners, integrated through third-party hubs, or managed across multiple admin domains. In those situations, security teams should treat each controller and management plane as part of the trust chain, not just the device itself. That is where identity concepts matter most: the device may be “connected,” but the real control question is whether its non-human identity remains valid for the right purpose, for the right duration, under the right authority.

In practice, governance gaps surface when the ecosystem expands faster than the organisation’s ability to inventory devices, verify trust state, and prove revocation has actually happened.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 set the technical controls, while EU Cyber Resilience Act define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0ID.AMMatter governance depends on accurate device inventory and lifecycle visibility.
EU Cyber Resilience ActThe CRA reinforces secure-by-design lifecycle governance for connected products.

Build product and procurement requirements around secure lifecycle support and updateability.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org