Non-Human Identity Governance
Status
Design Stage
Maturity
Governance model documented
Evidence
Control design complete · Dashboard planned
Next
Build NHI inventory dashboard
Problem Statement
Non-human identities — service accounts, OAuth2 clients, API keys, CI/CD tokens, and workload identities — often outnumber human identities in enterprise environments by an order of magnitude. Yet governance tooling, access reviews, and lifecycle policies are almost always built for humans. Service accounts accumulate excessive scopes, credentials are never rotated, and decommissioned applications leave orphaned credentials with standing access. This is the fastest-growing attack surface in enterprise IAM.
Why NHI Is Different
| Dimension | Human Identity | Non-Human Identity |
|---|---|---|
| Identity type | Person | Application, service, script |
| Authentication | Password + MFA | Client secret, certificate, workload identity |
| Session duration | Hours (re-auth expected) | Long-lived or persistent |
| Access pattern | Interactive, variable | Programmatic, predictable |
| Rotation | Password policy, manual | Automated, zero-downtime required |
| Governance gap | Mature (IGA tooling) | Often immature or absent |
| Blast radius | One person's access | All resources in scope set |
OAuth2 Client Credentials Lifecycle
1. Creation
Client registered with minimum required scopes, short TTL, and owner attribution recorded in inventory
2. Rotation
Credentials rotated on a defined schedule or on-demand; new secret issued before old is revoked to prevent downtime
3. Review
Periodic review compares assigned scopes to actually-used scopes; flags drift or over-privilege
4. Revocation
Client credentials revoked immediately on application decommission, team offboarding, or detected compromise
Scope Governance
Scope governance for non-human identities applies the same least-privilege principle as RBAC for humans, but operates in the OAuth2 scope model.
Least-privilege assignment
Scope set defined at client registration time based on documented function — no catch-all or wildcard scopes
Scope creep detection
Actual scope usage compared against assigned scopes periodically; unused scopes flagged for removal
Scope change approval
Any scope expansion requires change approval; scope reduction is self-service to encourage right-sizing
Inventory linkage
Every client credential is linked to an owning team and application in the NHI inventory; orphaned credentials are auto-flagged
Over-Privilege Detection
Over-privilege detection compares the scope set assigned to a client against the scopes that appear in token introspection or usage logs over a rolling period.
// Detection logic
assigned_scopes = ["billing:read", "users:read", "admin:write"]
used_scopes_30d = ["billing:read"]
// Result
drift = ["users:read", "admin:write"] // flagged for review
risk_level = HIGH // admin:write unused but assigned
Employer Value
Risk reduced
Over-privileged service accounts, long-lived credentials, untracked M2M access
Operational value
Reduced blast radius for compromised workload identity
IAM domain
OAuth2 client credentials, NHI governance, workload identity
Seniority signal
Understands the full identity surface — humans and machines
Evidence
Governance model
[ Documented above ]
NHI inventory dashboard
[ Dashboard planned ]
Over-privilege report mock
[ Screenshot pending ]
GitHub repository
[ Repo pending ]