Subscribe to the Non-Human & AI Identity Journal
Home Glossary SGP.32

SGP.32

← Back to Glossary
By NHI Mgmt Group Updated July 10, 2026

SGP.32 is the GSMA specification for remote eSIM management in IoT environments. It changes how devices are provisioned and managed at scale, which makes integration, workflow assurance and identity governance central to deployment success rather than secondary implementation details.

Expanded Definition

SGP.32 is the GSMA specification for remote eSIM management in IoT environments, so its practical meaning extends beyond connectivity setup into lifecycle control, provisioning integrity, and device identity governance. Unlike consumer eSIM flows, SGP.32 is designed for large fleets where bootstrap, activation, profile changes, and credential handling must be coordinated across manufacturers, mobile operators, and IoT platforms. In security terms, it sits at the junction of telecom operations and identity assurance because the remote management workflow determines who can issue, replace, or retire network access for a device.

Definitions vary across vendors on how broadly “eSIM management” should be applied, but SGP.32 is specifically about remote orchestration for IoT deployments rather than generic device onboarding. That makes it a governance topic as much as an engineering one, especially when organisations map it to NIST Cybersecurity Framework 2.0 control outcomes for asset management and access control. The most common misapplication is treating SGP.32 as a carrier integration detail, which occurs when teams ignore ownership, profile lifecycle, and revocation paths until devices are already in production.

Examples and Use Cases

Implementing SGP.32 rigorously often introduces workflow complexity, requiring organisations to weigh fleet-scale automation against tighter control over who can approve and change device connectivity.

  • A smart meter fleet is provisioned remotely after shipment, with activation tied to manufacturing records and deployment approval, not manual SIM handling.
  • An industrial sensor platform rotates connectivity profiles when devices move between regions, using policy-based remote management rather than truck rolls.
  • A logistics provider disables lost or decommissioned devices centrally, preserving continuity while reducing the chance of stale network access.
  • An IoT platform aligns eSIM lifecycle events with device identity records so that provisioning, repair, and retirement remain auditable end to end.
  • Security teams use guidance from the Ultimate Guide to NHIs alongside NIST Cybersecurity Framework 2.0 to treat device connectivity as part of identity lifecycle management, not just telecom setup.

For NHIs, the parallel is clear: remote device identities need the same discipline as service accounts, secrets, and API keys. That is why NHI Management Group notes that 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, a signal that lifecycle control is increasingly viewed as a core security function rather than a back-office task.

Why It Matters for Security Teams

SGP.32 matters because remote provisioning creates a new control plane for IoT access, and control planes are high-value targets when they are not governed consistently. If activation rights, profile issuance, and revocation are weakly controlled, attackers can exploit oversized privileges, stale credentials, or poorly tracked device ownership to persist inside operational environments. That is especially relevant in NHI-heavy estates, where identity sprawl often outpaces governance.

NHI Management Group’s research shows that 92% of organisations expose NHIs to third parties, which is a useful warning sign for IoT programmes that depend on carriers, integrators, and platform vendors to manage connectivity on their behalf. In practice, SGP.32 security work should therefore include approval workflows, change tracking, revocation testing, and clear accountability for every remote profile action. Teams should also connect those processes to identity monitoring and incident response so that device access can be withdrawn quickly when trust is broken. Organisations typically encounter the operational cost of weak SGP.32 governance only after a compromised or misrouted device stays connected longer than it should, at which point remote lifecycle control becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0ID.AM-1SGP.32 governs IoT device lifecycle and asset visibility across remote provisioning.
NIST SP 800-63AAL2Strong assurance is needed for parties authorising remote device identity changes.
OWASP Non-Human Identity Top 10SGP.32 manages machine identities whose lifecycle and privileges must be governed.
NIST Zero Trust (SP 800-207)Remote IoT connectivity fits Zero Trust principles of continuous verification and least privilege.

Treat remote eSIM profiles as NHI assets and enforce lifecycle, rotation, and offboarding controls.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org