Any identity that can authenticate or act without being fully controlled by the organisation’s standard identity stack. That includes service accounts, API keys, tokens, and some AI agents. The risk is not just visibility loss. It is loss of ownership, lifecycle control, and reliable revocation.
Expanded Definition
Unmanaged identity describes any non-human identity that can still authenticate or perform actions, but is not governed through the organisation’s standard identity stack. In practice, that means the identity may exist outside normal ownership, approval, rotation, and revocation processes. The term is broader than “forgotten account” because it includes active service accounts, API keys, tokens, certificates, and some AI agents that have usable access but weak governance.
In NHI management, unmanaged does not always mean invisible. An identity can be visible in logs or inventory and still be unmanaged if no team can prove who owns it, why it exists, when it expires, or how it is removed. That distinction matters because lifecycle control is what turns discovery into security. NHI Management Group’s Ultimate Guide to NHIs frames lifecycle discipline as a core control area, while NIST CSF 2.0 reinforces the broader expectation that access assets must be governed, not merely detected. One useful external reference is the NIST Cybersecurity Framework 2.0, which emphasises ongoing identification, protection, and control of assets across their operational life.
The most common misapplication is treating an identity as managed because it appears in a spreadsheet, when no reliable owner, expiry, or revocation path exists.
Examples and Use Cases
Implementing unmanaged identity controls rigorously often introduces inventory and governance overhead, requiring organisations to weigh operational speed against the cost of restoring ownership and revocation discipline.
- A legacy service account still authenticates to production, but no current team can explain its original purpose or safely disable it.
- An API key stored in a CI/CD pipeline remains active after the application team has moved repositories, creating a hidden dependency and a revocation gap.
- A long-lived token embedded in automation works across environments, but lacks rotation ownership and a documented expiry path.
- An AI agent has tool access to ticketing and cloud APIs, yet no approval record exists for its permissions or offboarding process.
- A certificate used by an internal integration is technically valid, but its issuer, consumer, and renewal workflow are no longer traceable.
These cases appear in NHI incident analysis because unmanaged access often survives normal change management. The Top 10 NHI Issues and the 52 NHI Breaches Analysis both show that weak ownership is rarely an isolated defect. For implementation context, NIST Cybersecurity Framework 2.0 is useful when mapping unmanaged identities back to asset governance and access control duties.
Why It Matters in NHI Security
Unmanaged identities are dangerous because they break the control assumptions that make least privilege, rotation, and revocation possible. If a team cannot prove ownership, then it cannot reliably answer basic questions such as who approved the credential, when it should expire, or how an incident responder should disable it. That gap becomes severe in environments where non-human identities outnumber human identities by 25x to 50x, and where compromise often begins with stale or overprivileged access. NHI Management Group notes that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, and only 20% of organisations have formal processes for offboarding and revoking API keys, which makes unmanaged identity a recurring exposure pattern rather than an edge case.
This is also where governance and security architecture intersect. The Lifecycle Processes for Managing NHIs section of NHI Management Group’s guidance shows why offboarding, rotation, and entitlement review are inseparable. For federated or workload-based trust models, unmanaged identities also undermine the intent of NIST Cybersecurity Framework 2.0 and comparable zero-trust programs. Organisations typically encounter the true cost only after a breach, expired owner relationship, or failed revocation, at which point unmanaged identity becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Unmanaged identities reflect missing ownership and lifecycle control over non-human identities. |
| NIST CSF 2.0 | PR.AC-1 | Identity and access are only effective when accounts and credentials are governed throughout their life cycle. |
| NIST Zero Trust (SP 800-207) | IA/Access policy | Zero trust depends on continuously verified identities, including workloads and service accounts. |
Require explicit identity verification, least privilege, and continuous review before allowing workload access.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 23, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
