Subscribe to the Non-Human & AI Identity Journal
Authentication, Authorisation & Trust

SM-DP+

← Back to Glossary
By NHI Mgmt Group Updated July 14, 2026 Domain: Authentication, Authorisation & Trust

The subscription management platform that delivers and manages eSIM profiles. In IoT provisioning, it is the system that must interpret device requests correctly, which means format compatibility and lifecycle support matter as much as nominal standards compliance.

Expanded Definition

SM-DP+ is the subscription management component that delivers, stores, and manages eSIM profiles for remote provisioning. In practice, it sits at the control point where a device request must be authenticated, matched to the right entitlement, and translated into a usable profile without breaking lifecycle continuity. Standards guidance exists, but usage across IoT vendors is still uneven, so implementation details often matter as much as nominal compliance. The distinction from adjacent terminology is operational: the SM-DP+ is not the eSIM itself, and it is not just a profile repository. It is the service that makes profile distribution and activation possible across device fleets, which makes it an identity-adjacent trust function in NHI-heavy environments. For a governance baseline, organisations should map it to broader control expectations in the NIST Cybersecurity Framework 2.0 and treat provisioning events as security-relevant identity operations.

The most common misapplication is treating SM-DP+ as a static telecom back-end, which occurs when teams ignore provisioning workflows, device attestation, and profile lifecycle state.

Examples and Use Cases

Implementing SM-DP+ rigorously often introduces provisioning complexity, requiring organisations to weigh fleet reliability against tighter enrollment and change-control discipline.

  • A manufacturer ships cellular IoT devices that bootstrap against SM-DP+ during first activation, with profile assignment tied to device class, region, and contract status.
  • An enterprise rotates eSIM profiles during device refresh so that retired endpoints lose network access cleanly instead of retaining dormant connectivity.
  • An operator uses SM-DP+ request logs to investigate why a subset of devices activated with the wrong carrier profile after a failed workflow translation.
  • A security team correlates provisioning events with the identity and access lifecycle guidance in the Ultimate Guide to NHIs to confirm that remote enrollment is auditable.
  • A platform team aligns SM-DP+ controls with NIST Cybersecurity Framework 2.0 functions so provisioning failures are tracked as operational resilience events, not just telecom exceptions.

Why It Matters in NHI Security

SM-DP+ matters because it is often the first place where provisioning trust, entitlement accuracy, and lifecycle enforcement meet. If profile delivery is poorly governed, devices can be activated with excessive connectivity, outdated subscriptions, or profiles that outlive the intended asset. That creates the same security pattern seen across NHI sprawl: hidden trust, weak offboarding, and delayed revocation. NHI Mgmt Group notes that only 20% of organisations have formal processes for offboarding and revoking API keys, and while SM-DP+ is not an API key manager, the governance lesson is the same: lifecycle controls must be explicit, not assumed. The risk becomes sharper in IoT because devices are distributed, persistent, and frequently difficult to recall once misprovisioned. A useful reference point is the broader NHI lifecycle and visibility guidance in the Ultimate Guide to NHIs, which frames why remote identity-bearing services need continuous oversight. Organisations typically encounter SM-DP+ as an operational priority only after a fleet outage, unauthorized activation, or failed decommissioning reveals that profile governance was incomplete.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-01Covers identity lifecycle and trust boundaries relevant to remote eSIM provisioning.
NIST CSF 2.0PR.AC-1Access control and authorized provisioning align with remote profile delivery governance.
NIST Zero Trust (SP 800-207)SC-23Zero Trust principles apply when devices request profiles across untrusted networks.
NIST SP 800-63IAL2Identity assurance concepts inform how strongly a device request should be bound.
CSA MAESTROAgentic orchestration guidance is useful where automated provisioning workflows act on device state.

Constrain automated provisioning agents so they cannot issue or modify profiles without policy checks.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org