Applications or identity flows that exist in the environment but remain outside security visibility. They are more dangerous than known gaps because they bypass inventory, review, and monitoring processes, leaving no reliable basis for governance or remediation.
Expanded Definition
Unknown unknowns are identity or access exposures that exist in the environment but have not been discovered through inventory, telemetry, or governance review. In NHI management, that usually means a service account, API key, workload credential, or agent-to-agent flow is operating without being represented in the control plane.
This concept is not the same as a known gap, where a team can at least describe what is missing. Unknown unknowns sit outside the current model, so there is no reliable owner, policy, or monitoring baseline. That makes them especially dangerous in agentic systems and service-to-service architectures, where NIST Cybersecurity Framework 2.0 functions such as asset visibility and continuous monitoring depend on knowing the asset exists in the first place. The industry still uses this term somewhat loosely, but in practice it refers to exposures that evade both discovery and governance. The most common misapplication is treating undocumented credentials as a simple inventory issue, which occurs when teams assume a scan has found everything and stop looking for flows that never surface in logs.
Examples and Use Cases
Implementing controls against unknown unknowns rigorously often introduces discovery overhead, requiring organisations to weigh stronger visibility against the cost of mapping systems that were never formally registered.
- A CI/CD pipeline creates a temporary deployment token that was never added to the secrets inventory, so it remains active long after the owning team has moved on.
- An AI agent is granted tool access by a local workflow script, but the approval path bypasses central IAM review and never appears in standard access reports.
- A legacy service account persists inside a forgotten integration, and no one can name the business owner when the account begins making unusual calls.
- A third-party workload authenticates through an embedded API key, yet the key was copied into code before any secrets manager policy was enforced.
These cases are common because discovery often starts with records, not runtime behaviour. The Ultimate Guide to NHIs shows why this matters: only 5.7% of organisations have full visibility into their service accounts, which leaves a large portion of identity activity effectively ungoverned. For operational context, compare that blind spot with identity visibility expectations in the NIST Cybersecurity Framework 2.0, where detection and governance depend on knowing what is present.
Why It Matters in NHI Security
Unknown unknowns are a governance failure, not just a discovery problem. Once an organisation cannot see an identity or flow, it cannot rotate the credential, enforce least privilege, confirm ownership, or prove removal. That creates a direct path to secrets sprawl, excessive privilege, and abandoned access that survives long after the original use case has changed. In NHI environments, the risk compounds because machine identities can be replicated at speed and reused across pipelines, clusters, and agents.
The Ultimate Guide to NHIs notes that 68% of organisations do not know how to fully address NHI risks, which is consistent with the difficulty of governing what has not yet been found. This is why unknown unknowns matter in post-incident response as much as in design: they explain why clean inventory reports can coexist with real compromise. Organisations typically encounter the operational cost only after a breach review or access failure reveals an identity that had never been formally known, at which point unknown unknowns become operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | ID.AM | Unknown unknowns are identity assets not captured by inventory and monitoring. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Undiscovered NHIs undermine the visibility and inventory expectations in NHI governance. |
| NIST Zero Trust (SP 800-207) | Zero Trust assumes every access path is observable and explicitly authorized. |
Continuously discover and record every NHI, then reconcile discoveries against ownership and policy.
Related resources from NHI Mgmt Group
- How should teams govern unknown or shadow Active Directory domains?
- Why do unknown assets create both security and compliance risk?
- Why do unknown AI agents create a higher identity risk than approved ones?
- How should security teams respond when an account takeover is confirmed but exposure is unknown?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org