Why it matters
Service accounts, application identities, API keys, client secrets, certificates, workload identities, managed identities, tokens, SSH keys, and automation identities often outlive projects and people. A hidden credential is not necessarily a protected credential.
Inventory and lifecycle
- Record identity type, owner, purpose, environment, target systems, privilege, credential location, expiry, and rotation method.
- Prefer least privilege, production separation, and interactive-login restrictions where appropriate.
- Monitor use, failed authentication, scope changes, and emergency rotation events.
- Decommission the identity, credentials, authorizations, certificates, and automation references together.
Rotation checklist
- Can the service use a replacement without downtime?
- Are old credentials revoked only after validated cutover?
- Is ownership still active and accountable?
- Are orphaned, shared, or dormant identities reviewed?
Common mistakes
Do not embed real secrets in code, logs, tickets, or examples. Avoid shared credentials, unbounded API keys, indefinite certificates, and treating a successful rotation as proof that every dependent workload is healthy.
Fictional example
An automation account remains after a migration. Inventory review finds no current owner but an active certificate and broad role. The team assigns an application owner, tests a narrowed replacement identity, and removes the old access with evidence.
Operational decision points
Start by identifying ownership, purpose, environment separation, scoped authorization, credential storage, rotation, monitoring, emergency revocation, and decommissioning. Keep those elements separate in the change record: a successful technical step can still leave an inappropriate authorization, unavailable dependency, or incomplete audit trail. Scope decisions to a named owner, system, time window, and evidence source.
Practical workflow
inventory the non-human identity, map dependencies, set scope and expiry, test rotation readiness, monitor use, and retire all credentials and grants together. At each stage, decide whether the observed result is sufficient to continue, needs an owner question, or requires a bounded rollback or escalation. Avoid turning an unavailable log or delayed response into proof that no activity occurred.
Evidence and review checklist
- record owner, service, environment, credential type, secret or certificate location reference, privilege, expiration, rotation dependency, last use, and revocation evidence.
- Confirm the accountable owner, expected dependency, approved exception, and next review date.
- Test an ordinary permitted path and a relevant denial or expiry condition using approved accounts and non-sensitive data.
- Separate service availability symptoms from identity, policy, session, and logging outcomes.
Fictional operational example
A deployment automation identity has a long-lived key and broad production role. The team creates a scoped replacement, updates dependent jobs in a staged rollout, confirms monitoring, and revokes the old key only after the jobs complete.
Validation boundaries and failure modes
A non-human identity inventory should distinguish human-owned service accounts, application registrations, API keys, certificates, workload identities, managed identities, and CI/CD identities. Managed identity reduces some secret handling but still needs scoped authorization, ownership, monitoring, and a decommissioning decision.
Before closing a review, confirm the result with the system owner and retain a reference to the relevant configuration, event, approval, or test. Missing evidence should create a follow-up question, not an unsupported conclusion about safety, authorization, or exposure.
Focused review checklist
Rotation readiness means each dependency is known, a replacement can be deployed safely, monitoring can detect failure, and an emergency-revocation owner is available. Long-lived credentials increase exposure; short-lived or managed identity approaches still require scoped authorization, environment separation, and active monitoring.
Related Vuln Signal content
Read Privileged Access, TLS and Service Identity, JWT inspection, and Evidence Preservation.