Service request management is the ITSM process for receiving, triaging, approving, and fulfilling routine requests. In identity programmes, it becomes the mechanism that decides who gets access to what, for how long, and under whose approval. Poor design turns it into a fast path to overprovisioning.
Expanded Definition
Service request management is the controlled intake and fulfilment path for routine access and operational requests, but in an identity programme it also becomes a governance decision point. It determines whether a request is legitimate, whether the approver has authority, and whether the resulting access is time-bound, scoped, and reviewable. In mature environments, it should connect directly to policy, inventory, and entitlement enforcement rather than functioning as a ticket queue that simply forwards approvals.
Definitions vary across vendors on how much automation belongs in the process, but the core security requirement is consistent: request handling must preserve least privilege and evidenceable approval chains. That aligns closely with the intent of the NIST Cybersecurity Framework 2.0, which expects organisations to manage access with measurable governance and accountability. In NHI environments, the same control logic applies to service accounts, API keys, and workflow identities, not just human users, and it should be reinforced by lifecycle discipline described in NHI Lifecycle Management Guide.
The most common misapplication is treating service request management as a purely administrative ticket workflow, which occurs when approvals are captured but not translated into enforceable access constraints.
Examples and Use Cases
Implementing service request management rigorously often introduces approval latency, requiring organisations to weigh speed of delivery against the risk of uncontrolled access expansion.
- A developer requests temporary access to a production API key, and the ticket system enforces an expiry time, approver identity, and post-use revocation.
- A platform team requests a new service account for a deployment pipeline, and the approval path requires entitlement mapping so the account only receives the minimum scopes needed.
- An operations analyst requests read access to incident logs, and the workflow routes to the data owner rather than a generic manager for an appropriate business approval.
- A machine-to-machine integration is requested for a third-party supplier, and the request is checked against the onboarding policy before credentials are issued and recorded.
- A high-risk privilege request is evaluated using the governance patterns discussed in Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs, then validated against request criteria inspired by the NIST Cybersecurity Framework 2.0.
In NHI programmes, the request itself should carry enough context to support fulfilment, including ownership, intended duration, and the downstream system that will consume the credential or entitlement.
Why It Matters in NHI Security
Service request management matters because it is often the last structured checkpoint before new credentials, privileges, or integrations are created. If the process is weak, access accumulates faster than it is reviewed, and the organisation inherits standing privilege, unclear ownership, and poor evidence for audits. NHIMG data shows that 97% of NHIs carry excessive privileges, and that only 5.7% of organisations have full visibility into their service accounts, which makes request governance a frontline control rather than a back-office formality. The risk is amplified when secrets are issued through informal channels, especially since 96% of organisations store secrets outside secrets managers in vulnerable locations. Those conditions are directly discussed in the Top 10 NHI Issues and the Ultimate Guide to NHIs — Regulatory and Audit Perspectives.
Practitioners also need to recognise that service request management is where ownership gaps become visible: who approved the access, who is accountable for it, and who must revoke it later. Organisations typically encounter the operational cost of weak request control only after a breach, audit finding, or privilege sprawl investigation, at which point service request management becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Covers request-driven privilege growth and access governance for NHIs. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions management depends on controlled approval and review. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires continuous verification of access requests and entitlements. |
Tie request workflows to access review and approval evidence before privileges are issued.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
