Stage 2 Audit

Expanded Definition

Stage 2 audit is the verification phase in which an organisation must prove that its documented controls are not just written correctly but are operating consistently in real conditions. In practice, auditors test evidence, sample records, interview control owners, and compare live behaviour against approved policy, procedures, and scope.

For NHI governance, this means proving that service accounts, API keys, certificates, and automation workflows are controlled as designed across their lifecycle. It is closely related to the evidential expectations described in Ultimate Guide to NHIs — Regulatory and Audit Perspectives and to broader control verification concepts in the NIST Cybersecurity Framework 2.0. Definitions vary across vendors on whether Stage 2 is framed as certification, surveillance, or recertification, but the operational meaning is consistent: prove that the control works when tested.

The most common misapplication is treating Stage 2 as a document review, which occurs when teams prepare policies but cannot produce current logs, samples, or owner attestations that match production reality.

Examples and Use Cases

Implementing Stage 2 rigorously often introduces documentation and evidence-collection overhead, requiring organisations to weigh audit readiness against the time cost of maintaining proof at control depth.

• A platform team demonstrates that every privileged service account has an owner, a review cadence, and revocation evidence, with samples tied back to the NHI Lifecycle Management Guide.
• An auditor samples rotated secrets and checks whether rotation logs, approval records, and rollback steps match the operating procedure described in Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs.
• A security team interviews application owners to confirm that disabled API keys are actually removed from CI/CD pipelines, not only marked for future cleanup, reflecting the risks described in Top 10 NHI Issues.
• A compliance lead maps control evidence for logging, access review, and exception handling to the verification approach encouraged by the NIST Cybersecurity Framework 2.0.

Why It Matters in NHI Security

Stage 2 matters because NHI failures often hide in the gap between policy and execution. In NHI environments, that gap is especially dangerous: service accounts can persist, secrets can remain valid, and automation can continue using excessive access long after the approved design has changed. NHIMG reports that only 5.7% of organisations have full visibility into their service accounts, which makes evidential audit far more than a paperwork exercise. It is one of the few moments where hidden NHI risk becomes measurable.

Stage 2 also forces organisations to prove control effectiveness for the full lifecycle, not just at provisioning. That is where Ultimate Guide to NHIs — Key Challenges and Risks becomes operationally relevant, especially when audit sampling exposes stale credentials, missing owners, or undocumented exceptions. The audit lens aligns with governance expectations in NIST Cybersecurity Framework 2.0, where controls must be demonstrable, not assumed.

Organisations typically encounter Stage 2 consequences only after an audit finding, at which point evidential control testing becomes operationally unavoidable to address.

Related resources from NHI Mgmt Group

• What does good NHI governance look like for audit and compliance purposes?
• Why do non-human identities create more audit risk than human accounts?
• Why do non-human identities create audit risk in modern environments?
• Why do AI agents create more audit risk than traditional service accounts?