The act of ending an authenticated session so the next user cannot inherit active access. In shared-device environments, it is a core security boundary because leaving a session open effectively turns a short-term login into standing access for whoever uses the device next.
Expanded Definition
Session termination is the controlled ending of an authenticated session so the prior user, process, or device context cannot continue to exercise access. In NHI and IAM operations, it is not just a logout action. It is the point where tokens, browser sessions, device bindings, and any cached authorisation state must be invalidated or rendered unusable.
Definitions vary across vendors when sessions are spread across web apps, APIs, SSH, mobile clients, and agentic workflows, but the security intent is the same: close the access path at the source. That intent aligns with zero trust thinking in the NIST Cybersecurity Framework 2.0, where active access should be continuously bounded rather than assumed safe because it was once approved.
For NHIs, session termination often overlaps with token revocation, credential rotation, and offboarding, but those are not identical controls. A terminated session should end immediately; a rotated secret may still leave a live session active if the implementation does not bind the session to the old credential state. The most common misapplication is treating a page redirect or UI logout as full termination when the backend token, API session, or cached agent context remains valid.
Examples and Use Cases
Implementing session termination rigorously often introduces friction for users and automation, requiring organisations to weigh usability and continuity against the cost of leaving access alive longer than necessary.
- Shared workstations in operations centres force a hard session close when one analyst finishes, so the next person cannot inherit an already authenticated console.
- An API client used by a CI/CD pipeline ends its session after deployment, then destroys or revokes the token so replay is no longer possible.
- An agentic workflow pauses after completing a task and terminates its tool session before handing control to a human approver, reducing unintended reuse of authority.
- A privileged admin portal logs out an engineer and invalidates the browser session server-side, not just on the client, to stop back-button or cookie reuse.
- A leaked service account context is shut down by terminating active sessions before rotating credentials, which limits the attacker’s window even if the secret has already been exposed.
These patterns are consistent with lifecycle guidance in the NHI Lifecycle Management Guide and with the broader control themes discussed in Top 10 NHI Issues. They also echo the session and revocation expectations found in the NIST Cybersecurity Framework 2.0, especially where identity state must be actively managed rather than passively trusted.
Why It Matters in NHI Security
Session termination is a boundary control. When it fails, access that was meant to be temporary becomes indistinguishable from standing privilege, especially in shared devices, agent tools, and service integrations that reuse tokens across requests. For NHI security teams, weak termination logic can turn a single compromise into repeated unauthorised use long after the initial authentication event.
This is one reason NHI Mgmt Group reports that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys. If active sessions are not reliably shut down, stolen credentials can continue to operate even after detection efforts begin. That makes termination part of incident containment, not just routine housekeeping. It also connects to the lifecycle and exposure themes in the Ultimate Guide to NHIs, where revocation, rotation, and offboarding only work if live sessions are actually ended.
Organisations typically encounter the operational impact of poor session termination only after a device is reused, an agent continues acting, or a stolen token is replayed, at which point session control becomes an urgent containment issue.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-05 | Session lifecycle control underpins preventing reuse of active NHI access. |
| NIST CSF 2.0 | PR.AA-01 | Identity and access state must be actively managed across authenticated sessions. |
| NIST Zero Trust (SP 800-207) | Zero Trust assumes no session is trusted indefinitely after initial authentication. |
Enforce session invalidation as part of continuous access control and identity lifecycle management.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 24, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
