Subscribe to the Non-Human & AI Identity Journal
Home Glossary Governance, Ownership & Risk Lift-and-Forget
Governance, Ownership & Risk

Lift-and-Forget

← Back to Glossary
By NHI Mgmt Group Updated June 23, 2026 Domain: Governance, Ownership & Risk

A migration pattern where workloads are moved to the cloud but the supporting governance model is left behind. The result is technical debt, unclear ownership and controls that no longer match the environment, especially once AI begins consuming the migrated data.

Expanded Definition

Lift-and-forget is a cloud migration anti-pattern in which workloads are moved to a new environment while identity, access, logging, and ownership controls remain rooted in the old operating model. In NHI and IAM terms, the migration is treated as a technical relocation rather than a governance reset. That distinction matters because moved workloads often continue to rely on service accounts, API keys, certificates, and automation paths that were designed for a different trust boundary.

Definitions vary across vendors on how broad the term should be, but NHI Management Group uses it to describe any migration that preserves legacy governance assumptions after the workload changes location or consumption model. It is closely related to cloud sprawl, secret sprawl, and stale entitlement accumulation, yet it is not limited to infrastructure. Once AI systems begin reading migrated datasets or triggering workflows, the original controls can become misaligned with the new execution context. The NIST Cybersecurity Framework 2.0 is useful here because lift-and-forget failures usually show up as broken ownership, weak control mapping, and absent continuous monitoring. The most common misapplication is assuming a workload is governed correctly after lift alone, which occurs when the migration team does not revalidate access, secrets handling, and accountability in the target environment.

Examples and Use Cases

Implementing migration rigorously often introduces short-term operational friction, requiring organisations to weigh speed of relocation against the cost of re-baselining controls, owners, and credentials.

  • A legacy application is moved to a cloud host, but its hard-coded API key remains in the codebase and is never rotated.
  • A data platform is rehosted for analytics, then an AI agent is granted access without revisiting data classification or service-account scope.
  • An on-prem batch job is containerised, yet its certificate lifecycle still depends on manual renewal steps that no one owns after migration.
  • A merged business unit inherits old service accounts, but no one reconciles them against current business functions or access reviews.
  • A team migrates to cloud and assumes the old detective controls still apply, even though logs now flow through different tools and retention settings.

These patterns are discussed in NHI Management Group’s Ultimate Guide to NHIs, especially where governance, lifecycle, and offboarding are treated as first-class controls rather than afterthoughts. They also align with the identity and access review discipline reflected in the NIST Cybersecurity Framework 2.0.

Why It Matters in NHI Security

Lift-and-forget is dangerous because NHI risk compounds quietly after a migration. When secrets, service accounts, and automation pipelines are carried forward without governance refresh, the organisation inherits old permissions, stale ownership, and broken revocation paths in a new environment. That creates a common failure mode where AI tools can consume data or invoke workflows that no longer have an explicit control owner.

NHI Mgmt Group reports that 96% of organisations store secrets outside of secrets managers in vulnerable locations, which shows how often migration work leaves credentials exposed in places that are hard to govern. The same source notes that only 20% have formal processes for offboarding and revoking API keys, a gap that becomes more visible after environments are moved and the original control owners disappear. Lift-and-forget undermines Zero Trust because trust decisions stay static even as execution context changes. Organisations typically encounter the consequence only after a breach, audit failure, or AI-driven misuse exposes the mismatch, at which point lift-and-forget becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Lift-and-forget leaves access permissions stale after migration.
NIST CSF 2.0DE.CM-1Broken logging and monitoring are common when governance is not refreshed.
NIST Zero Trust (SP 800-207)Zero Trust requires revalidating trust assumptions after environment changes.

Treat migrated workloads as new trust targets and enforce continuous verification.

Deepen Your Knowledge

Ultimate Guide to NHIs → NHI Foundation Course → Discussion Forum →
NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on June 23, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.