Document-to-Control Gap

Expanded Definition

The document-to-control gap describes the mismatch between written policy and verifiable technical evidence. In NHI operations, a policy may require secret rotation, approval logging, or offboarding, but the control only exists if systems can prove those events occurred. That makes the term closely related to evidence quality, auditability, and control enforceability, not just policy drafting.

Definitions vary across vendors because some teams use the phrase for any compliance gap, while others reserve it for situations where a control exists in prose but not in telemetry. NHI Management Group treats it as a governance failure that appears when service accounts, API keys, certificates, or agent permissions cannot be traced through system records, as discussed in the Ultimate Guide to NHIs — Standards. It also aligns with the evidence-driven expectations reflected in the NIST Cybersecurity Framework 2.0.

The most common misapplication is assuming a documented process equals a working control, which occurs when teams cannot produce logs, attestations, or system state to support the policy.

Examples and Use Cases

Implementing document-to-control alignment rigorously often introduces overhead in instrumentation and evidence collection, requiring organisations to weigh faster policy approval against the cost of proving control execution.

• A policy requires all secrets to be rotated every 30 days, but the secrets manager does not record rotation events in a retrievable audit trail.
• An incident response runbook says service-account access must be revoked on termination, yet the IAM system only removes human users and leaves NHI credentials active.
• A cloud security standard demands approval before privileged API keys are issued, but the approval lives in email while the key is created directly in CI/CD.
• A cross-border review asks for evidence that agent permissions were time-bound, but the platform stores only the final permission state, not the assignment history.
• NHI teams map control intent to the evidence expectations outlined in Ultimate Guide to NHIs — Standards and validate operational records against NIST Cybersecurity Framework 2.0.

Why It Matters in NHI Security

Document-to-control gaps are especially dangerous in NHI programs because non-human identities move faster, operate at machine scale, and often bypass the manual checks that human access reviews depend on. When policy language is not backed by enforceable workflow, organisations can believe they have rotation, revocation, or least-privilege controls when they actually have only intent.

This matters because NHI exposure is already widespread: NHI Management Group reports that only 5.7% of organisations have full visibility into their service accounts, and 91.6% of secrets remain valid five days after notification, showing how weak evidence and slow remediation compound each other. That pattern is documented in the Ultimate Guide to NHIs, and it is exactly the sort of control problem that the NIST Cybersecurity Framework 2.0 pushes organisations to measure through verifiable outcomes.

Organisations typically encounter the document-to-control gap only after an audit, breach review, or regulatory request exposes that the evidence trail is missing, at which point the term becomes operationally unavoidable to address.

Related resources from NHI Mgmt Group

• Control Monitoring
• What is the difference between patching and blast radius control?
• What is the difference between source control leakage and SharePoint secret exposure?
• How should security teams control overprivileged NHIs?