The unmanaged stack is the collection of SaaS apps, OAuth grants, shared credentials, and AI tools that operate outside central identity controls. It creates governance gaps because access may be real, active, and risky even when it never appears in normal SSO review or lifecycle workflows.
Expanded Definition
Unmanaged stack refers to the shadow layer of SaaS applications, OAuth grants, shared credentials, browser-based automation, and AI tools that function outside central identity governance. In NHI and IAM practice, it is not simply “unauthorised software.” It is any active access path that bypasses normal joiner, mover, leaver, or SSO review, yet still carries data access, API reach, or execution authority.
Definitions vary across vendors, especially where teams blend SaaS sprawl, shadow IT, and non-human identity governance into one label. The operational distinction is that unmanaged stack risk is about control-plane invisibility: the access exists, may be productive, and may never be evaluated by the identity team. That makes it especially relevant to NIST Cybersecurity Framework 2.0 functions tied to asset visibility, access control, and continuous monitoring. NHIMG’s guidance on Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs shows why lifecycle oversight must extend beyond formal directory objects.
The most common misapplication is treating unmanaged stack as a procurement problem, which occurs when teams focus only on approved software lists and miss active OAuth consents, embedded tokens, and AI tools already handling real business data.
Examples and Use Cases
Implementing unmanaged stack controls rigorously often introduces friction for end users and product teams, requiring organisations to weigh fast self-service adoption against the cost of discovery, review, and revocation.
- A marketing team connects a SaaS scheduler to a CRM through an OAuth grant that was never routed through IAM review, leaving persistent access after the employee changes roles.
- A developer stores a service token in a personal automation tool, then uses it to trigger releases outside the approved CI/CD identity path.
- An analyst adopts an AI note-taking tool that syncs meeting transcripts and attachments into an external tenant, creating data exposure that security never inventoried.
- A shared vendor account is reused across multiple teams, so no one can prove ownership, rotate the credential, or revoke it cleanly during offboarding.
These patterns are discussed in NHIMG’s Top 10 NHI Issues and align with the visibility emphasis in NIST Cybersecurity Framework 2.0, which expects organisations to know what is connected, what is privileged, and what is still active.
In practice, unmanaged stack often includes tools that look harmless individually but together create an access mesh that is hard to inventory, harder to revoke, and easiest to exploit when ownership is unclear.
Why It Matters in NHI Security
Unmanaged stack matters because it turns ordinary business convenience into hidden authority. When SaaS grants, API keys, and AI connectors sit outside central control, organisations lose the ability to enforce least privilege, rotation, offboarding, and auditability. That failure is especially dangerous for non-human identities, where access may be machine-speed, persistent, and replicated across tools. NHIMG reports that only 5.7% of organisations have full visibility into their service accounts, and that lack of visibility is exactly the condition in which unmanaged stack risk compounds.
The security impact is broader than account sprawl. It can undermine incident response, create unmanaged data flows, and leave residual access in place after an employee departs or a vendor relationship ends. NHIMG’s Ultimate Guide to NHIs — Key Challenges and Risks and NHI Lifecycle Management Guide both reinforce that identity governance has to cover active usage, not just registered objects. For risk teams, the unmanaged stack is where policy drift becomes exposure.
Organisations typically encounter the consequences only after an investigation reveals an old OAuth grant, a forgotten token, or an AI connector still moving sensitive data, at which point unmanaged stack becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Unmanaged stack creates hidden NHIs and orphaned access paths outside governance. |
| NIST CSF 2.0 | ID.AM-1 | Asset management requires knowing which identities and tools exist and are in use. |
| NIST Zero Trust (SP 800-207) | PA | Zero Trust assumes every access path must be explicitly known and continuously evaluated. |
Inventory all hidden SaaS grants, tokens, and service accounts, then reconcile them to owners and business purpose.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
