EVIDENCE TRAIL
NHI lifecycle management — provision, rotate, audit, decommission
Verbatim excerpts from the upstream sources cited on the mitigation page, with what each source does and does not prove. The OWASP NHI Top 10 (2025) supplies the closest named controls: NHI1 (Improper Offboarding) covers decommission and re-attestation; NHI7 (Long-Lived Secrets) covers rotation. The MDX page cites "NIST AI 600-1 MEASURE-2.6" for identity lifecycle — that is a misattribution; MEASURE 2.6 covers content/safety evaluation. The correct NIST 800-53 anchor is AC-2 Account Management.
Last cross-checked against upstream sources: · 7 sources
References
Each entry shows what the source supports and what it does not prove.
OWASP Non-Human Identities Top 10 (2025) — NHI1: Improper Offboarding
§NHI1:2025 Improper Offboarding — How to Prevent
"Periodically recertify NHIs to confirm they are still in use, actively needed, and have valid owners. Decommission any identities found to no longer be needed, and ensure all NHIs have assigned owners."
Supports: Verbatim statement of the re-attestation and decommission lifecycle steps this control mandates. NHI1 is the closest upstream source for the "periodically recertify → decommission orphans" principle.
Does not prove: Framed around employee offboarding, not agentic AI lifecycle specifically. Does not address rotation cadence or short-lived credential primitives.
OWASP Non-Human Identities Top 10 (2025) — NHI7: Long-Lived Secrets
§NHI7:2025 Long-Lived Secrets — Prevention
"Many cloud platforms like AWS and Azure provide built-in mechanisms to use temporary credentials that automatically expire."
Supports: Directly names long-lived secrets as a top-10 NHI risk class and points to short-lived / auto-expiring credentials as the mitigation primitive. Validates the "rotation" and "short-lived credential default" emphasis in this control.
Does not prove: Does not provide a minimum rotation TTL or a specific rotation schedule. The CSA statistic cited in this section ("45% of NHI incidents caused by non-rotation") appears in the NHI7 document but is sourced from the CSA NHI report, not from OWASP itself.
OWASP Agentic AI — Threats & Mitigations v1.1
§Threat Landscape — Privilege and Identity section (precedes T3 table entry)
"Additionally, Non-Human Identities (NHI)—such as machine accounts, service identities, and agent-based API keys—play a key role in agentic AI security. Agents often operate under NHIs when interfacing with cloud services, databases, and external tools. Unlike traditional user authentication, NHIs may lack session-based oversight, increasing the risk of privilege misuse or token abuse if not carefully managed."
Supports: Verbatim identification of agent NHIs as a distinct risk class requiring lifecycle management. Confirms the threat model (privilege misuse, token abuse) that this control directly addresses.
Does not prove: Does not specify rotation cadence or a decommission process. The T3 and T9 table entries describe the threat; the mitigation column names least-privilege and monitoring, not lifecycle discipline specifically.
OWASP Agentic AI — Threats & Mitigations v1.1
§Mitigation Playbook P4 Auth/Identity/Privilege — Step 1: Enforce Agent Identity & Authentication Boundaries
"Limit AI credential persistence. Ensure that AI-generated credentials are temporary and expire after short timeframes to reduce exploitation risk."
Supports: Verbatim statement of the short-TTL credential principle that underpins the Rotation lifecycle phase. Aligns with the Helmwart T2 claim that "static long-lived secrets are a smell."
Does not prove: Does not address provisioning governance, audit logging, re-attestation, or the decommission phase. Narrow in scope to credential TTL only.
MITRE ATLAS AML.M0026 — Privileged AI Agent Permissions Configuration
AML.M0026 — full mitigation description
"AI agents may be granted elevated privileges above that of a normal user to enable desired workflows. When deploying a privileged AI agent, or an agent that interacts with multiple users, it is important to implement robust policies and controls on permissions of the privileged agent. These controls include Role-Based Access Controls (RBAC), Attribute-Based Access Controls (ABAC), and the principle of least privilege so that the agent is only granted the necessary permissions to access tools and resources required to accomplish its designated task(s)."
Supports: Names privileged agent identity permissions as a distinct ATLAS mitigation class and specifies RBAC/ABAC + least-privilege as the controls. Validates the provisioning-with-narrow-scope lifecycle phase.
Does not prove: Does not discuss rotation, re-attestation, audit, or decommission. Focuses on access policy at deployment time, not ongoing lifecycle management.
MITRE ATLAS AML.M0019 — Control Access to AI Models and Data in Production
AML.M0019 — full mitigation description
"Require users to verify their identities before accessing a production model. Require authentication for API endpoints and monitor production model queries to ensure compliance with usage policies and to prevent model misuse."
Supports: Names authentication enforcement and continuous query monitoring as production-environment controls — the same identity + audit posture this lifecycle control prescribes.
Does not prove: Scoped to model-access authentication, not NHI rotation or decommission. Does not address service-account lifecycle, short-lived credentials, or orphan cleanup.
NIST SP 800-53 Rev. 5 — AC-2 Account Management
AC-2 Control items (f), (h)(1), (h)(2), (j)
"Create, enable, modify, disable, and remove accounts in accordance with [organization-defined policy, procedures, prerequisites, and criteria] … Notify account managers … when accounts are no longer required … when users are terminated or transferred … Review accounts for compliance with account management requirements."
Supports: Canonical definition of account lifecycle (create → disable → remove) with owner-notification and periodic review. AC-2(3) adds: "Disable accounts … when no longer associated with a user or individual." These are the same lifecycle phases (provision, audit, decommission) this Helmwart control applies to NHIs.
Does not prove: AC-2 addresses human and system accounts generically; it does not name NHIs, agent identities, or AI-specific rotation cadences. The MDX cites "NIST AI 600-1 MEASURE-2.6" for this control — that is a misattribution: MEASURE 2.6 covers content/safety evaluation, not identity lifecycle. The correct NIST 600-1 anchor for security controls is MEASURE 2.7 (security and resilience evaluation), but even that is not NHI-specific.