The collection of policies, workflows, people, and controls used to govern access across an organisation. It is broader than a single tool because it includes lifecycle management, reviews, education, and operational follow-through needed to keep access decisions accurate.
Expanded Definition
An identity programme is the operating model for governing who and what can access systems, data, and tools. It combines policy, account lifecycle management, access requests, approvals, periodic reviews, education, revocation, and exception handling so access decisions stay current as the environment changes.
In NHI security, the term must cover service accounts, API keys, tokens, certificates, and agent identities, not only human users. That distinction matters because non-human access often persists longer, is more widely distributed, and is harder to inventory than employee access. Mature programmes tie governance to NIST Cybersecurity Framework 2.0 outcomes such as identity management, access control, and continuous monitoring, while also aligning to NHI-specific lifecycle practices described in the Ultimate Guide to NHIs.
Definitions vary across vendors when the phrase is used to describe a product suite, but in security governance it should be treated as a cross-functional programme with accountable owners, measurable controls, and enforced remediation. The most common misapplication is equating an identity programme with a single IAM tool, which occurs when teams expect technology alone to resolve access sprawl, stale accounts, and weak review processes.
Examples and Use Cases
Implementing an identity programme rigorously often introduces process overhead, requiring organisations to weigh tighter control and auditability against slower onboarding and more review activity.
- A central team defines access standards for employees, contractors, service accounts, and AI agents, then routes every new entitlement through approval and review workflows.
- Security and platform teams use periodic access recertification to remove stale privileges, informed by recurring issues documented in the Top 10 NHI Issues.
- Developers rotate API keys and certificates on schedule, with exceptions tracked until they are remediated, rather than allowing credentials to remain valid indefinitely.
- After a token exposure event, incident responders use the programme to revoke access, assess blast radius, and confirm downstream systems no longer trust the compromised identity, as illustrated by the JetBrains GitHub plugin token exposure.
- Audit teams validate that privileged access is time-bound and documented, using the programme as evidence that access decisions are repeatable rather than ad hoc.
For many organisations, the practical value is not the application of one control, but the ability to run the same governance logic across identities that behave very differently in production.
Why It Matters in NHI Security
An identity programme is where NHI risk becomes governable rather than anecdotal. Without it, secrets linger in code, service accounts outlive their owners, and access decisions drift away from the business need that justified them. NHIMG research shows that 96% of organisations store secrets outside of secrets managers, while only 5.7% report full visibility into their service accounts. That combination makes governance, not just tooling, the decisive factor.
Identity programmes also support Zero Trust by making authentication, authorization, and review continuous instead of one-time. When control gaps are visible, teams can connect them to concrete harm, such as lateral movement, privilege escalation, or delayed incident containment. The 52 NHI Breaches Analysis shows how often weak identity governance appears in real incidents, reinforcing that access oversight is an operational resilience issue, not just an administrative one. Organisations typically encounter the need for an identity programme only after a breach review, at which point access sprawl and stale credentials become operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Identity programmes govern lifecycle, access, and review for NHIs. |
| NIST CSF 2.0 | PR.AA-1 | Identity proofing and management underpin controlled access decisions. |
| NIST Zero Trust (SP 800-207) | PE-1 | Zero Trust requires continuous identity-based access decisions. |
Maintain authoritative identity records and enforce periodic access validation.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 25, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
