Non-Human Identity Governance
Status
Design Stage
Maturity
Governance model documented
Evidence
Control design complete · Sanitized demo view added · Dashboard planned
Next
Build NHI inventory dashboard
Problem Statement
Non-human identities — service accounts, OAuth2 clients, API keys, CI/CD tokens, and workload identities — often outnumber human identities in enterprise environments by an order of magnitude. Yet governance tooling, access reviews, and lifecycle policies are almost always built for humans. Service accounts accumulate excessive scopes, credentials are never rotated, and decommissioned applications leave orphaned credentials with standing access. This is the fastest-growing attack surface in enterprise IAM.
Why NHI Is Different
| Dimension | Human Identity | Non-Human Identity |
|---|---|---|
| Identity type | Person | Application, service, script |
| Authentication | Password + MFA | Client secret, certificate, workload identity |
| Session duration | Hours (re-auth expected) | Long-lived or persistent |
| Access pattern | Interactive, variable | Programmatic, predictable |
| Rotation | Password policy, manual | Automated, zero-downtime required |
| Governance gap | Mature (IGA tooling) | Often immature or absent |
| Blast radius | One person's access | All resources in scope set |
OAuth2 Client Credentials Lifecycle
1. Creation
Client registered with minimum required scopes, short TTL, and owner attribution recorded in inventory
2. Rotation
Credentials rotated on a defined schedule or on-demand; new secret issued before old is revoked to prevent downtime
3. Review
Periodic review compares assigned scopes to actually-used scopes; flags drift or over-privilege
4. Revocation
Client credentials revoked immediately on application decommission, team offboarding, or detected compromise
Scope Governance
Scope governance for non-human identities applies the same least-privilege principle as RBAC for humans, but operates in the OAuth2 scope model.
Least-privilege assignment
Scope set defined at client registration time based on documented function — no catch-all or wildcard scopes
Scope creep detection
Actual scope usage compared against assigned scopes periodically; unused scopes flagged for removal
Scope change approval
Any scope expansion requires change approval; scope reduction is self-service to encourage right-sizing
Inventory linkage
Every client credential is linked to an owning team and application in the NHI inventory; orphaned credentials are auto-flagged
Over-Privilege Detection
Over-privilege detection compares the scope set assigned to a client against the scopes that appear in token introspection or usage logs over a rolling period.
// Detection logic
assigned_scopes = ["billing:read", "users:read", "admin:write"]
used_scopes_30d = ["billing:read"]
// Result
drift = ["users:read", "admin:write"] // flagged for review
risk_level = HIGH // admin:write unused but assigned
NHI Inventory View — Sanitized Demo View
⚠Sanitized demo view — illustrative inventory entries showing the governance model applied to real-world NHI patterns.
| SANITIZED DEMO VIEW | Owner Team | Assigned Scopes | Used (30d) | Unused / Flagged | Rotation Due | Risk |
|---|---|---|---|---|---|---|
| cli-[redacted] | platform-engineering | billing:readusers:readadmin:write | billing:read | users:read ⚑admin:write ⚑ | 2026-06-01 | High |
| cli-[redacted] | data-pipeline | storage:readstorage:write | storage:readstorage:write | — | 2026-08-15 | Low |
| cli-[redacted] | legacy-crm (orphaned) | users:readadmin:readreports:write | none (0 calls) | users:read ⚑admin:read ⚑reports:write ⚑ | — | Critical |
Row 1: over-privilege (admin:write assigned but unused). Row 2: clean — all scopes in use. Row 3: orphaned credential — no calls in 30 days, rotation overdue.
Client ID
svc-billing-sync-****
Owner Team
Finance Platform
Rotation Due
2026-06-15
Assigned scopes
Used scopes — last 30 days
Unused scopes flagged for review
Recommendations
- ‣ Remove unused scopes: invoices.write, customers.read, admin.export
- ‣ Rotate credential — rotation window approaching
- ‣ Assign a named owner within Finance Platform
- ‣ Re-review access in 30 days after scope reduction
Employer Value
Risk reduced
Over-privileged service accounts, long-lived credentials, untracked M2M access
Operational value
Reduced blast radius for compromised workload identity
IAM domain
OAuth2 client credentials, NHI governance, workload identity
Seniority signal
Understands the full identity surface — humans and machines
Evidence Roadmap
Governance model and sanitized inventory view are documented above. Full dashboard and repository will be added as the project matures.
Governance model
[ Documented above ]
NHI Inventory View
[ Sanitized NHI inventory view added ]
Over-privilege detection
[ Logic and example documented above ]
NHI inventory dashboard
[ Dashboard planned ]
GitHub repository
[ Repo pending ]