Non-Human Identity Security Checklist
A comprehensive checklist for NHI security covering discovery, ownership, authentication, lifecycle, monitoring, governance, and incident response.
Non-Human Identity Security Checklist
A practical, end-to-end NHI security checklist for security architects, identity teams, and DevOps. Use as a self-audit, RFP requirement, or vendor due diligence tool.
1. Discovery and Inventory
- Continuous discovery across cloud (AWS / GCP / Azure / OCI).
- Continuous discovery across SaaS (Workspace / M365 / Salesforce / Slack / GitHub / etc.).
- Continuous discovery in AD (SAs, gMSAs, dMSAs, computer accounts).
- Continuous discovery in K8s (SAs, namespaces).
- Continuous discovery of secrets (vaults, code, CI, registries).
- Continuous discovery of OAuth / SaaS-to-SaaS connected apps.
- Continuous discovery of Personal Access Tokens (GitHub / GitLab / Atlassian).
- Continuous discovery of bots and AI agents.
- Single normalized NHI inventory.
- Each NHI metadata: type, purpose, owner, scope, status, last-used, risk score.
- Inventory regularly reconciled with platform sources.
- Inventory coverage % tracked as KPI.
2. Ownership
- Named human owner per NHI.
- Backup owner per NHI.
- Auto-detection from creator / first-grant / tags / IaC.
- Owner tag enforcement at creation (Org Policy, IaC validation).
- No-owner SLA + escalation path.
- Quarterly recertification campaigns.
- Owner training on responsibilities.
- Ownership coverage % tracked as KPI.
3. Risk Classification
- Risk tiering criteria documented (Tier 0–4).
- Each NHI assigned a tier.
- Re-tier on significant change.
- Tier drives controls intensity (cadence, MFA, monitoring).
- Tier 0 NHIs (admin / cross-tenant / signing) have heightened controls.
4. Authentication
- Workload Identity Federation in use for cloud workloads.
- Managed Identity (Azure) / IRSA (AWS) / WI (GKE / AKS) in use.
- gMSA / dMSA preferred over user-based AD SAs.
- No hardcoded secrets (verified by secret scanning + push protection).
- Centralized secret manager (Vault, AWS SM, Azure KV, GCP SM).
- Short-lived OAuth access tokens (≤ 1 hour where possible).
- Refresh tokens rotated on use.
- mTLS for service-to-service where appropriate.
- SPIFFE for service mesh.
- Audience binding enforced.
- Federation conditions strict (per-repo / per-branch).
5. Authorization (Least Privilege)
Cloud
- No basic roles (Editor / Owner) in production.
- Predefined / scoped / custom roles per workload.
- Conditional grants where supported.
- Quarterly recertification with usage analysis (IAM Recommender / Access Analyzer / Forestall).
Cross-Cloud / SaaS
- Narrow integration scopes.
- Per-tenant / per-resource scoping.
AD
- Tier 0/1/2 model enforced.
- gMSA / dMSA replacing user SAs.
- No SPNs on user accounts.
- AS-REP preauth required.
Kubernetes
- Namespaced RBAC.
- No cluster-admin to apps.
- Federated to cloud IAM (IRSA / WI).
Tools / APIs (AI agents, RPA)
- Allow-list per NHI.
- Tool composition risk reviewed.
- Dangerous combinations flagged.
6. Lifecycle
- Provisioning workflow (risk + approval).
- Owner assigned at creation.
- HR integration triggers transfer / decommissioning on leaver.
- Workload integration triggers cleanup on workload deletion.
- Recertification cadence (risk-tiered).
- Suspend-then-delete pattern.
- Audit every lifecycle event.
- Orphan KPI tracked.
- Mean orphan age tracked.
7. Secret Management
- Centralized vault.
- No hardcoded secrets (verified).
- Secret scanning on all repos / containers / configs.
- Push protection enabled.
- Pre-commit hooks for secret detection.
- Rotation cadence per sensitivity.
- Dual-secret pattern for zero-downtime.
- Cert lifecycle automation (ACME, cert-manager).
- SSH cert authority (replacing static keys).
- Krbtgt rotation twice yearly.
- HSM for high-value (signing, root CA).
- Per-secret ACL.
- Stale secret count tracked.
8. Monitoring
- Comprehensive audit logging for every NHI action.
- Centralized SIEM ingestion.
- Long retention (≥ 1 year, more for sensitive).
- Immutable audit storage.
- Anomaly detection per NHI type.
- Cost monitoring per NHI.
- Alerting + on-call.
- MTTD / MTTR tracked.
- Posture tooling (Forestall) for continuous risk-rank.
9. Compliance
- NIST CSF 2.0 PR.AA-05 mapped.
- PCI-DSS 4.0 service account requirements met.
- ISO 27001 A.5.16 evidenced.
- SOC 2 CC6 evidenced.
- Sector-specific (HIPAA, GLBA, etc.) addressed.
- Evidence collection automated.
- Audit-ready posture documented.
10. Governance
- NHI / AI policy formal + socialized.
- Approval workflow for high-risk new NHIs.
- Re-review on significant change.
- Quarterly review on Tier 1+ NHIs.
- Decommissioning playbook.
- Cross-functional governance body (Security + IAM + DevOps + IT + AI).
- Quarterly leadership reporting.
- Trend tracking on KPIs.
11. Vendor / Supply-Chain
- Vendor risk assessments for SaaS-to-SaaS integrations.
- Contractual data scoping.
- Periodic re-review (annual minimum).
- OAuth grant audit quarterly.
- Vendor incident notification monitored.
- Vendor isolation (per-vendor SAs).
12. Incident Response
- IR playbooks per NHI type (SA / OAuth / federation / RPA / AI agent).
- Containment runbooks (rotate / revoke / disable).
- Audit trail preservation.
- Tabletop exercises annually.
- Post-incident root cause + systemic improvements.
- Vendor incident playbook.
13. KPIs
- Inventory coverage %.
- Ownership coverage %.
- Federation adoption %.
- Hardcoded secret count.
- Stale NHI count.
- Over-permissioned NHI count.
- MTTD for NHI anomalies.
- MTTR for NHI findings.
- Compliance evidence completeness.
- Trends quarter-over-quarter.
How Forestall Helps
Forestall scores your environment against this checklist continuously, prioritizes findings, and tracks progress as KPIs over time.
Conclusion
NHI security is mature enough that a checklist captures the essential controls. Use this as a baseline self-audit; expand with sector-specific or platform-specific items; and operationalize via continuous tooling. With every box checked and trend metrics moving in the right direction, the largest identity surface in your environment becomes a managed, monitored, governed asset rather than your biggest blind spot.
Audit your NHI program against this checklist.
Forestall scores your environment against NHI best-practice controls.