Introducing Oasis NHI Provisioning: Transforming NHI Security from day 1

Today, we’re thrilled to announce a major step forward in our vision for NHI management with the launch of Oasis NHI Provisioning. A powerful new capability that transforms how Non-Human Identities (NHIs) are created, governed and secured from day one. 

With Oasis, every NHI is secure by design: it is either provisioned with the right access, clear ownership, and full policy enforcement or it's a federated identity, like a managed identity, with no credentials to manage at all, delivering security and developers’ freedom of choice from the start. 

‍

Taking NHI Provisioning from Afterthought to Foundation

With businesses increasingly driven by rapid development and innovation cycles, traditional identity and security practices have been significantly impacted. The evidence leans toward these cycles creating a disconnect, as developers prioritize speed to meet market demands, often at the expense of security. Security and development teams are often siloed due to organizational culture and processes, with developers focusing on solving complex challenges with code and security teams on protection. This can lead to increased vulnerabilities, as security is often treated as an afterthought, slowing down development when retrofitted.

In our previous blog post, we broke down the current state of NHI provisioning: fragmented processes, static secrets, and inconsistent enforcement. The status-quo leaves organizations vulnerable to operational risks, misconfigurations, and breaches because NHIs are not governed from inception.

At Oasis, we believe security should never be an afterthought; it should be the foundation of everything we do. With today’s announcement of Oasis NHI Provisioning we are taking a major step forward in unlocking NHI governance from the very start. 

‍

How Oasis NHI Provisioning works 

Oasis NHI Provisioning flips the traditional model on its head. We’ve built a cloud-agnostic (supporting Azure, GCP, AWS), on-prem, and vault-agnostic (integrating with HashiCorp, Azure Key Vault, CyberArk, and more) solution that automates the provisioning of NHIs and their credentials with the infrastructure of choice. Moreover, it allows to assign human owners assignments (individual or groups) and to set security policies on rotation, decommissioning, and procedures to follow when the asset owner leaves from the start. 

Oasis NHI Provisioning supports the creation of both credential-based and federated identities, offering flexibility of choice based on how resources are accessed and managed. Identities can either be created with credentials managed directly by Oasis or as federated identities, where access is granted through trust relationships, such as within the same cloud provider (e.g., using IAM roles / Managed identities) or across different providers using protocols like OIDC. This approach simplifies integration with cloud-native resources and external systems, helping teams adopt the right identity type for each use case without compromising on security or control.

Because provisioning is fully integrated in our platform, it works seamlessly with all the other capabilities - inventory, posture management, threat detection, automatic rotation and decommission, etc. so that the entire lifecycle is managed and automated.

Let’s take a closer look at the Oasis NHI Provisioning workflow:

‍

Step 1: Request & Approval Workflow

Provisioning begins with a simple request, typically submitted by the Application Owner or the developer. Once submitted, the designated admin or process owner is notified to review and approve the request.

Oasis supports this workflow across multiple channels: 

• Terraform
• ServiceNow
• Any generic API trigger
• Oasis UI

Whether your organization provisions through infrastructure-as-code or relies on ticketing systems, we meet you where you are by integrating directly into your established processes. By establishing a standardized, governed approval flow, teams reduce back-and-forth, accelerate decisions, and ultimately speed up development timelines, reducing the time from idea to execution.

‍

Step 2: Identity Generation

Once approved, Oasis takes over and handles all the heavy lifting. Oasis automatically creates the requested NHI in the designated identity provider within minutes and tagged a “created by Oasis”. The identity is onboarded in Oasis ILM management for automated governance. 

‍

Step 3: Secret generation and vaulting 

For credential-based identities we don’t stop at identity creation. We also generate and store the credentials securely in your vault of choice, supporting native key vaults, HashiCorp Vault, CyberArk, and more. To enable secure provisioning without compromising control, Oasis leverages Oasis Outpost, a collector container deployed within your cloud perimeter that ensures that sensitive identity operations like secret generation and storage happen entirely within your infrastructure. It ensures that:

• Privileged access to your stay strictly within your  perimeter
• Secrets are generated and stored locally and securely
• Communication between Oasis and the Outpost only contains control messages and metadata, and not permissions, keys or secrets (ie: it's not a backdoor or SSH tunnel into your environment)

This architecture provides a secure, compliant foundation for provisioning from day one, allowing you to automate critical workflows without exposing your secrets.

‍

Step 3: Ownership Assignment

Every identity provisioned via Oasis is automatically assigned to an owner or to a group of owners. This eliminates the need to chase down owners later for attestation or cleanup tasks. In case of an incident or audit, you know exactly who’s responsible.

‍

Step 4: Notification

Oasis ensures that all stakeholders remain informed throughout the identity lifecycle by providing timely, configurable notifications. Users can track the progress of their requests, from submission to successful provisioning, via their preferred communication channels such as email, Slack, or others selected in the request form.

For externally managed approvals (outside of Oasis), users are automatically notified through email or another supported platform of their choice. Notifications are sent for key events including request approval, identity creation, provisioning success, or any errors encountered, ensuring visibility and transparency at every stage of the process.

See it an action

‍

How Oasis NHI Provisioning unlocks end-to-end governance

Once the identity is created, it becomes part of the Oasis Inventory and is fully governed by the Oasis Policy-based ILM Engine. Policies, such as vaulting, secret rotation, ownership, and deprovisioning, set during the request phase are implemented from day one ensuring reliable and consistent enforcement. 

Moreover, all the powerful intelligence capabilities built into the platform is automatically activated to ensure: 

• Continuous monitoring for threat detection (Oasis Scout)
• Hygiene checks and cleanup (Oasis Context Reconstruction Engine)
• Ownership discovery and attestation
• Posture analysis and risk management 

‍

Why It Matters

It’s easy to see how Oasis NHI provisioning enables drastically faster NHI deployment but this new capability isn’t just about improving the operational efficiency of your provisioning process. Its even bigger benefit is to finally close the security gap of ungoverned NHIs governance with an approach that gives identity and security teams the necessary control without impacting developer experience. 

Here are some of the most significant business outcomes you can unlock for your business:

• Reduce risk proactively by preventing misconfigurations and identity sprawl before they become threats.
• Enable faster DevSecOps workflows by removing operational bottlenecks
• Implement consistent governance ensuring uniform policy enforcement across multi-cloud and hybrid environments.
• Enable audit-ready compliance by tracking every identity lifecycle event with complete traceability.

‍

Ready to see it in action? Request a demo or reach out to your customer team to get started.