← Back to portfolio

Non-Human Identity Governance

Status

Design Stage

Maturity

Governance model documented

Evidence

Control design complete · Sanitized demo view added · Dashboard planned

Next

Build NHI inventory dashboard

Problem Statement

Non-human identities — service accounts, OAuth2 clients, API keys, CI/CD tokens, and workload identities — often outnumber human identities in enterprise environments by an order of magnitude. Yet governance tooling, access reviews, and lifecycle policies are almost always built for humans. Service accounts accumulate excessive scopes, credentials are never rotated, and decommissioned applications leave orphaned credentials with standing access. This is the fastest-growing attack surface in enterprise IAM.

Why NHI Is Different

Comparison of human identity vs non-human identity characteristics across seven governance dimensions
DimensionHuman IdentityNon-Human Identity
Identity typePersonApplication, service, script
AuthenticationPassword + MFAClient secret, certificate, workload identity
Session durationHours (re-auth expected)Long-lived or persistent
Access patternInteractive, variableProgrammatic, predictable
RotationPassword policy, manualAutomated, zero-downtime required
Governance gapMature (IGA tooling)Often immature or absent
Blast radiusOne person's accessAll resources in scope set

OAuth2 Client Credentials Lifecycle

1. Creation

Client registered with minimum required scopes, short TTL, and owner attribution recorded in inventory

2. Rotation

Credentials rotated on a defined schedule or on-demand; new secret issued before old is revoked to prevent downtime

3. Review

Periodic review compares assigned scopes to actually-used scopes; flags drift or over-privilege

4. Revocation

Client credentials revoked immediately on application decommission, team offboarding, or detected compromise

Scope Governance

Scope governance for non-human identities applies the same least-privilege principle as RBAC for humans, but operates in the OAuth2 scope model.

Over-Privilege Detection

Over-privilege detection compares the scope set assigned to a client against the scopes that appear in token introspection or usage logs over a rolling period.

// Detection logic

assigned_scopes = ["billing:read", "users:read", "admin:write"]

used_scopes_30d = ["billing:read"]

// Result

drift = ["users:read", "admin:write"] // flagged for review

risk_level = HIGH // admin:write unused but assigned

NHI Inventory View — Sanitized Demo View

Sanitized demo view — illustrative inventory entries showing the governance model applied to real-world NHI patterns.

Sanitized NHI inventory showing client credentials, scope usage, rotation schedule, and risk level
SANITIZED DEMO VIEWOwner TeamAssigned ScopesUsed (30d)Unused / FlaggedRotation DueRisk
cli-[redacted]platform-engineering
billing:readusers:readadmin:write
billing:read
users:readadmin:write
2026-06-01High
cli-[redacted]data-pipeline
storage:readstorage:write
storage:readstorage:write
2026-08-15Low
cli-[redacted]legacy-crm (orphaned)
users:readadmin:readreports:write
none (0 calls)
users:readadmin:readreports:write
Critical

Row 1: over-privilege (admin:write assigned but unused). Row 2: clean — all scopes in use. Row 3: orphaned credential — no calls in 30 days, rotation overdue.

Client Detail — Risk: HighSANITIZED DEMO VIEW

Client ID

svc-billing-sync-****

Owner Team

Finance Platform

Rotation Due

2026-06-15

Assigned scopes

invoices.readinvoices.writecustomers.readadmin.export

Used scopes — last 30 days

invoices.read

Unused scopes flagged for review

invoices.writecustomers.readadmin.export

Recommendations

  • Remove unused scopes: invoices.write, customers.read, admin.export
  • Rotate credential — rotation window approaching
  • Assign a named owner within Finance Platform
  • Re-review access in 30 days after scope reduction

Employer Value

Risk reduced

Over-privileged service accounts, long-lived credentials, untracked M2M access

Operational value

Reduced blast radius for compromised workload identity

IAM domain

OAuth2 client credentials, NHI governance, workload identity

Seniority signal

Understands the full identity surface — humans and machines

Evidence Roadmap

Governance model and sanitized inventory view are documented above. Full dashboard and repository will be added as the project matures.

Governance model

[ Documented above ]

NHI Inventory View

[ Sanitized NHI inventory view added ]

Over-privilege detection

[ Logic and example documented above ]

NHI inventory dashboard

[ Dashboard planned ]

GitHub repository

[ Repo pending ]