How Does Improper Offboarding Work?

Identify all NHIs linked to applications or personnel. Deactivate or decommission NHIs tied to decommissioned systems or departed individuals. Transfer ownership and rotate credentials for NHIs still needed by remaining staff. Automate through IAM integration, connecting HR systems to identity platforms for real-time revocation. Audit and recertify periodically, implementing governance to flag unused or orphaned identities. Audit findings often reveal active yet abandoned NHIs with elevated permissions—prime targets for ex-employees or threat actors.

Home » Glossary » OWASP NHI Top 10 – Improper Offboarding

OWASP NHI Top 10 – Improper Offboarding

Overview

Improper Offboarding refers to the failure to deactivate or remove non‑human identities (NHIs)—like service accounts, machine credentials, and access keys—when they are no longer needed. This lapse leads to dormant, orphaned, or vulnerable identities that significantly increase cybersecurity risk.

What Is Improper Offboarding?

In the context of the OWASP NHI Top 10 (2025), Improper Offboarding is ranked as the number one risk. It occurs when NHIs tied to deprecated applications, left behind by departing staff, or managed by personnel no longer responsible, remain active and unmonitored. Astrix defines such unrevoked identities as “stale,” “orphaned,” or “partially offboarded” NHIs—creating critical blind spots in SaaS environments.

How or properly offboard NHIs

Identify all NHIs linked to applications or personnel.
Deactivate or decommission NHIs tied to decommissioned systems or departed individuals.
Transfer ownership and rotate credentials for NHIs still needed by remaining staff.
Automate through IAM integration, connecting HR systems to identity platforms for real-time revocation.
Audit and recertify periodically, implementing governance to flag unused or orphaned identities.

Audit findings often reveal active yet abandoned NHIs with elevated permissions—prime targets for ex‑employees or threat actors.

Why Does Improper Offboarding Matter?

Improper Offboarding creates highly exploitable risks:

Dormant yet privileged identities can be leveraged for lateral movement within cloud environments or Kubernetes clusters.
Former employees may exploit lingering access keys to remain undetected.
Noise-free attack paths are created via forgotten NHIs in non‑production systems.

Business consequences include data breaches, system compromises, regulatory fines, and serious damage to trust and compliance posture.

Astrix’s Solution for Improper Offboarding

Astrix tackles Improper Offboarding with a turnkey “discover‑to‑decommission” pipeline:

Discover Non‑Human Identities—automatically inventorying service accounts and credentials across cloud environments
Detect Suspicious Non‑Human Activity to identify NHIs that haven’t been used or re‑approved
NHI Remediation—streamlined revocation, rotation, and ownership reassignment workflows

Ready to eliminate orphaned and stale credentials before they become your next incident? See Astrix in action—book a live demo to learn how our platform automates end‑to‑end offboarding and governance for non‑human identities.

Learn more about the OWASP NHI Top 10 framework in Astrix’s introduction to the standard → Introducing the OWASP NHI Top 10.

Product Overview

CAPABILITIES

Supported environments

USE CASES

Security Programs

COMPANY

Customer Stories

Resources

NHI Glossary