Governance
All NHI
GRC Lead

Produce audit-ready ISO 27001 evidence for every non-human identity, continuously and on demand

Quick Summary: ISO 27001 auditors increasingly ask for evidence of non-human identity governance — credential inventories, access scopes, ownership records — that most teams can only assemble manually in the days before an audit. Oleria, an AI-native identity security & governance platform, continuously maintains ISO 27001-aligned NHI evidence and generates it on demand.

Outcome

ISO 27001:2022 access control requirements apply to every identity - human and non-human alike - yet most evidence packs still cover only humans. Oleria closes that gap by continuously assembling per-NHI evidence mapped to the relevant Annex A controls, so your next audit is ready when the auditor arrives.

The reality

ISO 27001:2022 reorganized Annex A into four themes - organizational, people, physical, and technological. Access control now spans controls 5.15-5.18 and 8.2-8.5, and the language applies to identities broadly, not just human accounts. Most ISO programs still treat NHIs as a configuration concern rather than an identity-management concern, which means their evidence packs have a systematic gap that auditors are increasingly trained to find.

When an auditor asks for access review evidence on a specific service account or API key, the typical response is silence or a spreadsheet assembled the night before. The underlying NHI data exists in various systems - IdPs, cloud consoles, secrets managers - but it has never been aggregated, mapped to controls, or tied to an audit cycle. The result is a finding, a caveat in the auditor's report, or a last-minute scramble that erodes confidence in the program.

What you get with Oleria

Oleria continuously collects, normalizes, and maps NHI lifecycle data to ISO 27001 controls so that evidence is always current and always structured for an auditor.

Per-Annex-A-control evidence

Every NHI carries per-control evidence covering 5.15 (access control policy), 5.16 (identity management), 5.17 (authentication information), 5.18 (access rights), 8.2 (privileged access rights), 8.3 (information access restriction), and 8.5 (secure authentication). Each record is timestamped and tied to the specific NHI, owner, and review event.

ISO audit-cycle alignment

Evidence accumulates continuously against named audit cycles. At surveillance or recertification time, you filter by cycle and export - no manual aggregation required. The auditor sees current evidence, not a reconstructed snapshot.

Stage 1 and Stage 2 support

Stage 1 documentation reviews get policy-level evidence showing that access management processes exist and cover NHIs. Stage 2 operational effectiveness tests get per-NHI detail: who owns it, what scope it holds, when it was reviewed, and what changed.

Cross-framework reuse

ISO 27001 evidence shares structure with SOC 2, ISO 27017, and ISO 27018. Oleria labels the same per-NHI records for each framework, eliminating duplicate collection cycles when you carry more than one certification.

AT A GLANCE

Per-control evidence mapping
Links each NHI to the specific ISO 27001:2022 Annex A controls it satisfies (5.15-5.18, 8.2-8.5)
Continuous evidence assembly
Evidence accrues in real time so surveillance and recertification audits get current data at export
Stage 1 and Stage 2 depth
Policy-level evidence for Stage 1 documentation reviews; per-NHI operational detail for Stage 2 effectiveness testing
Cross-framework reuse
The same per-NHI records re-label for SOC 2, ISO 27017, and ISO 27018 without duplicate data collection

How it works

  1. Connect - Oleria ingests your NHI inventory and lifecycle events from IdPs, cloud platforms, secrets managers, and CI/CD systems.
  2. Map - Each NHI record is automatically categorized against the relevant ISO 27001:2022 Annex A controls based on identity type, privilege level, and authentication method.
  3. Generate - Evidence assembles continuously against your named audit cycles; apply cycle filters and export at any time with full control references and timestamps.
  4. Deliver - Hand the structured evidence pack directly to your auditor or internal compliance team, with Stage 1 and Stage 2 depth pre-separated.

What Oleria delivers

Oleria generates complete ISO 27001 NHI Compliance Evidence for every Annex A access control, keeping your program audit-ready around the clock.

What it looks like in your environment

Your ISO recertification is three weeks out. The lead auditor sends a sample of 40 NHIs - service accounts, API keys, and OAuth credentials - and asks for access review evidence tied to Annex A controls 5.18 and 8.2. In a typical environment that request triggers a multi-team scramble across cloud consoles, IdP logs, and ticket systems. With Oleria, the GRC lead applies the auditor's NHI list as a filter, selects the ISO 27001 evidence view, and exports a structured pack in under ten minutes. Each record shows the NHI, its owner, its declared scope, the last review date and outcome, and the specific control reference. The auditor closes the sample without findings.

What good looks like

  • Every ISO 27001:2022 access control is evidenced per NHI, not just per human account.
  • ISO surveillance audits pass the NHI evidence sample without a last-minute scramble.
  • Recertification cycles complete without NHI-related findings or auditor caveats.
  • The "NHIs are out of scope" admission is replaced by a complete, structured evidence pack that covers both humans and non-humans.

Your next ISO 27001 audit shouldn't depend on a last-minute evidence sprint.

Gartner's Market Guide for Identity Governance and Administration maps how leading platforms automate NHI compliance evidence across ISO 27001 and beyond — see where IGA is heading.

Download the Gartner Report

Frequently Asked Questions

What is a non-human identity (NHI)?

A non-human identity is any credential or identity principal that is not directly tied to a human user session - service accounts, API keys, OAuth clients, machine tokens, CI/CD pipeline credentials, and similar. They authenticate and access systems just as humans do, but are rarely subject to the same governance controls.

Which ISO 27001:2022 controls does Oleria cover for NHIs?

Oleria generates evidence for the access control and identity management controls in the organizational theme (5.15 - 5.18) and the technological theme (8.2, 8.3, 8.5). These are the controls auditors focus on when assessing whether NHI access is managed with appropriate rigor.

How does this differ from SOC 2 NHI evidence?

SOC 2 follows AICPA Trust Services Criteria; ISO 27001 follows ISO Annex A. The underlying NHI data Oleria collects is the same - ownership, scope, review history, lifecycle events. The difference is the framework label applied at export. If you carry both certifications, the same evidence set supports both packs.

What about ISO 27017 and ISO 27018 (cloud and PII extensions)?

ISO 27017 adds cloud-specific controls and ISO 27018 adds PII-in-cloud controls. Both share the access control foundation of ISO 27001. Oleria's per-NHI evidence supports the common access control controls across all three; the cloud and PII-specific extensions build on the same data.

Do we need to be ISO 27001 certified to use this capability?

No. The per-NHI evidence is useful for any access governance program. ISO 27001 certification is one destination for that evidence, but the continuous inventory, ownership tracking, and review records are independently valuable regardless of certification status.

Related articles
This is some text inside of a div block.

Answer NHI questions in plain English - no query language required

Read more
This is some text inside of a div block.

Complete ServiceNow integration credential inventory - audit-ready in hours, not weeks

Read more
This is some text inside of a div block.

Detect inactive accounts that still hold licenses

Read more