← All glossary terms
Non-Human Identities5 min read

Non-Human Identity Security Checklist

A comprehensive checklist for NHI security covering discovery, ownership, authentication, lifecycle, monitoring, governance, and incident response.

Non-Human Identity Security Checklist

A practical, end-to-end NHI security checklist for security architects, identity teams, and DevOps. Use as a self-audit, RFP requirement, or vendor due diligence tool.


1. Discovery and Inventory

  • Continuous discovery across cloud (AWS / GCP / Azure / OCI).
  • Continuous discovery across SaaS (Workspace / M365 / Salesforce / Slack / GitHub / etc.).
  • Continuous discovery in AD (SAs, gMSAs, dMSAs, computer accounts).
  • Continuous discovery in K8s (SAs, namespaces).
  • Continuous discovery of secrets (vaults, code, CI, registries).
  • Continuous discovery of OAuth / SaaS-to-SaaS connected apps.
  • Continuous discovery of Personal Access Tokens (GitHub / GitLab / Atlassian).
  • Continuous discovery of bots and AI agents.
  • Single normalized NHI inventory.
  • Each NHI metadata: type, purpose, owner, scope, status, last-used, risk score.
  • Inventory regularly reconciled with platform sources.
  • Inventory coverage % tracked as KPI.

2. Ownership

  • Named human owner per NHI.
  • Backup owner per NHI.
  • Auto-detection from creator / first-grant / tags / IaC.
  • Owner tag enforcement at creation (Org Policy, IaC validation).
  • No-owner SLA + escalation path.
  • Quarterly recertification campaigns.
  • Owner training on responsibilities.
  • Ownership coverage % tracked as KPI.

3. Risk Classification

  • Risk tiering criteria documented (Tier 0–4).
  • Each NHI assigned a tier.
  • Re-tier on significant change.
  • Tier drives controls intensity (cadence, MFA, monitoring).
  • Tier 0 NHIs (admin / cross-tenant / signing) have heightened controls.

4. Authentication

  • Workload Identity Federation in use for cloud workloads.
  • Managed Identity (Azure) / IRSA (AWS) / WI (GKE / AKS) in use.
  • gMSA / dMSA preferred over user-based AD SAs.
  • No hardcoded secrets (verified by secret scanning + push protection).
  • Centralized secret manager (Vault, AWS SM, Azure KV, GCP SM).
  • Short-lived OAuth access tokens (≤ 1 hour where possible).
  • Refresh tokens rotated on use.
  • mTLS for service-to-service where appropriate.
  • SPIFFE for service mesh.
  • Audience binding enforced.
  • Federation conditions strict (per-repo / per-branch).

5. Authorization (Least Privilege)

Cloud

  • No basic roles (Editor / Owner) in production.
  • Predefined / scoped / custom roles per workload.
  • Conditional grants where supported.
  • Quarterly recertification with usage analysis (IAM Recommender / Access Analyzer / Forestall).

Cross-Cloud / SaaS

  • Narrow integration scopes.
  • Per-tenant / per-resource scoping.
  • Tier 0/1/2 model enforced.
  • gMSA / dMSA replacing user SAs.
  • No SPNs on user accounts.
  • AS-REP preauth required.

Kubernetes

  • Namespaced RBAC.
  • No cluster-admin to apps.
  • Federated to cloud IAM (IRSA / WI).

Tools / APIs (AI agents, RPA)

  • Allow-list per NHI.
  • Tool composition risk reviewed.
  • Dangerous combinations flagged.

6. Lifecycle

  • Provisioning workflow (risk + approval).
  • Owner assigned at creation.
  • HR integration triggers transfer / decommissioning on leaver.
  • Workload integration triggers cleanup on workload deletion.
  • Recertification cadence (risk-tiered).
  • Suspend-then-delete pattern.
  • Audit every lifecycle event.
  • Orphan KPI tracked.
  • Mean orphan age tracked.

7. Secret Management

  • Centralized vault.
  • No hardcoded secrets (verified).
  • Secret scanning on all repos / containers / configs.
  • Push protection enabled.
  • Pre-commit hooks for secret detection.
  • Rotation cadence per sensitivity.
  • Dual-secret pattern for zero-downtime.
  • Cert lifecycle automation (ACME, cert-manager).
  • SSH cert authority (replacing static keys).
  • Krbtgt rotation twice yearly.
  • HSM for high-value (signing, root CA).
  • Per-secret ACL.
  • Stale secret count tracked.

8. Monitoring

  • Comprehensive audit logging for every NHI action.
  • Centralized SIEM ingestion.
  • Long retention (≥ 1 year, more for sensitive).
  • Immutable audit storage.
  • Anomaly detection per NHI type.
  • Cost monitoring per NHI.
  • Alerting + on-call.
  • MTTD / MTTR tracked.
  • Posture tooling (Forestall) for continuous risk-rank.

9. Compliance

  • NIST CSF 2.0 PR.AA-05 mapped.
  • PCI-DSS 4.0 service account requirements met.
  • ISO 27001 A.5.16 evidenced.
  • SOC 2 CC6 evidenced.
  • Sector-specific (HIPAA, GLBA, etc.) addressed.
  • Evidence collection automated.
  • Audit-ready posture documented.

10. Governance

  • NHI / AI policy formal + socialized.
  • Approval workflow for high-risk new NHIs.
  • Re-review on significant change.
  • Quarterly review on Tier 1+ NHIs.
  • Decommissioning playbook.
  • Cross-functional governance body (Security + IAM + DevOps + IT + AI).
  • Quarterly leadership reporting.
  • Trend tracking on KPIs.

11. Vendor / Supply-Chain

  • Vendor risk assessments for SaaS-to-SaaS integrations.
  • Contractual data scoping.
  • Periodic re-review (annual minimum).
  • OAuth grant audit quarterly.
  • Vendor incident notification monitored.
  • Vendor isolation (per-vendor SAs).

12. Incident Response

  • IR playbooks per NHI type (SA / OAuth / federation / RPA / AI agent).
  • Containment runbooks (rotate / revoke / disable).
  • Audit trail preservation.
  • Tabletop exercises annually.
  • Post-incident root cause + systemic improvements.
  • Vendor incident playbook.

13. KPIs

  • Inventory coverage %.
  • Ownership coverage %.
  • Federation adoption %.
  • Hardcoded secret count.
  • Stale NHI count.
  • Over-permissioned NHI count.
  • MTTD for NHI anomalies.
  • MTTR for NHI findings.
  • Compliance evidence completeness.
  • Trends quarter-over-quarter.

How Forestall Helps

Forestall scores your environment against this checklist continuously, prioritizes findings, and tracks progress as KPIs over time.


Conclusion

NHI security is mature enough that a checklist captures the essential controls. Use this as a baseline self-audit; expand with sector-specific or platform-specific items; and operationalize via continuous tooling. With every box checked and trend metrics moving in the right direction, the largest identity surface in your environment becomes a managed, monitored, governed asset rather than your biggest blind spot.

Non-Human IdentityIdentity SecurityBest Practices

Audit your NHI program against this checklist.

Forestall scores your environment against NHI best-practice controls.

We respect your privacy

We use cookies to keep this site secure and working properly. With your permission, we also use optional cookies to understand usage and improve the experience. Cookie Policy

You can change your choice at any time.

Non-Human Identity Security Checklist | Forestall