Subscribe to the Non-Human & AI Identity Journal
Home Glossary Governance, Ownership & Risk Key Management
Governance, Ownership & Risk

Key Management

← Back to Glossary
By NHI Mgmt Group Updated July 11, 2026 Domain: Governance, Ownership & Risk

Key management is the controlled lifecycle of cryptographic keys, from generation and storage through rotation, use, and retirement. In enterprise environments it is the governance layer that determines whether keys remain trustworthy across users, workloads, devices, and applications.

Expanded Definition

Key management is the operational and governance discipline that ensures cryptographic keys are created, protected, rotated, distributed, revoked, and destroyed in a way that preserves trust. In NHI and agentic AI environments, it is not just a technical control for encryption. It is the mechanism that decides whether api key, signing keys, TLS keys, and workload credentials can be used safely across services, pipelines, devices, and autonomous agents.

Definitions vary across vendors when they blur key management with secret storage, certificate management, or general IAM. In practice, key management focuses on the key lifecycle and the policies around who can mint, use, export, or retire a key, while adjacent systems such as vaults and HSMs enforce storage and access boundaries. For a broader governance view, NHI Management Group’s NHI Lifecycle Management Guide and the NIST Cybersecurity Framework 2.0 both reinforce lifecycle control and risk treatment as core security obligations.

The most common misapplication is treating key management as a one-time vaulting exercise, which occurs when teams store keys securely but fail to rotate, scope, or retire them as systems change.

Examples and Use Cases

Implementing key management rigorously often introduces coordination overhead between platform, security, and application teams, requiring organisations to weigh faster delivery against tighter control of key use and rotation.

  • Rotating API signing keys for an internal platform after a deployment pipeline change, so newly issued tokens cannot be forged with an old key.
  • Using a hardware security module to protect root signing keys for certificate issuance, while allowing only tightly scoped operational access.
  • Separating encryption keys for production databases from lower-environment keys, reducing blast radius if a non-production system is compromised.
  • Rebuilding a service account’s credentials after reviewing excessive privileges and stale key usage, aligning with the lifecycle approach described in the Ultimate Guide to NHIs.
  • Applying key revocation after a compromise indicator appears in a workload identity, then verifying downstream systems reject the retired key, consistent with NIST Cybersecurity Framework 2.0 guidance on protective and recovery functions.

In mature NHI programs, key management also governs signing keys for software releases and agent tool access, because those keys can authorize broad machine action rather than a single login session. A practical example is the Coupang Signing Key Breach, which illustrates how one exposed key can affect trust at scale. NHI Management Group’s Top 10 NHI Issues further shows how poor rotation and oversight turn routine credentials into lasting exposure.

Why It Matters in NHI Security

Key management is foundational in NHI security because keys are the control plane behind authentication, encryption, code signing, and automated access. When it fails, the problem is rarely limited to one account. A weak or stale key can let an attacker impersonate a workload, sign malicious artifacts, decrypt data, or pivot across services without tripping a human login control.

NHI Management Group reports that 71% of NHIs are not rotated within recommended time frames, which means expired trust assumptions often remain active long after teams think they have been corrected. That gap matters even more in Zero Trust and shared-platform environments, where machine identities often outnumber human identities by 25x to 50x and a single retained key can undermine segmentation and verification.

Organisations typically encounter the operational impact only after a breach, failed audit, or service disruption, at which point key management becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-02Key storage, rotation, and revocation map directly to improper secret management risk.
NIST CSF 2.0PR.AC-1Identity and credential management includes controlling cryptographic keys used for access.
NIST SP 800-63AAL2Assurance concepts depend on protecting authenticators and related cryptographic material.
NIST Zero Trust (SP 800-207)SC-13Zero Trust depends on strong cryptographic protection and managed trust anchors.
OWASP Agentic AI Top 10A1Agentic systems rely on secure tool and signing credentials that must be governed.

Treat keys as assurance-bearing authenticators and apply equivalent protection and lifecycle controls.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org