Identity & Access Management

Non-Human Identity Security Policy

Darren Highfill
Darren Highfill
May 7, 2025
2 min read
Blog
Identity & Access Management

Note: This is the introduction to a 3-part series on non-human identity and implications for security policy. Links directly to each part of the series are at the bottom of this page.

Introduction

When you ask cybersecurity professionals about fundamental principles, most immediately go to the CIA triad of confidentiality, integrity, and availability. But identity is arguably even more foundational. Unique identification underpins every aspect of cybersecurity. We depend on understanding who did what: actors and actions.

Cybersecurity frameworks and policies to date have focused identity-related language on the human. We can talk at length about what people are allowed and forbidden to do. However, we have largely treated machines and their management as though they were simple property. In order to find machines responsible for their actions, you primarily had to look to sci-fi.

Yet, the modern business world is increasingly made up of machines, both physical and virtual, taking actions on our behalf. And it’s gotten complicated. The days of easily saying, “Alice pushed button X, which caused machine 123 to do function Y” are long gone - lost in layers of virtual robot middlemen. Our environments are rich and thick with cross-functional processes, automated services talking to services, and agents of all kinds.

If we are to manage the surreal world of modern business effectively, we must be able to trace the actions of our digital proxies. It’s time we took a sci-fi step further as we project human concepts into digital space. It’s time to give our proxies identity.

In the following series of articles, we discuss the “why” and “how” of managing the security of identities for things other than people. Specifically, we will discuss “non-human identity” (NHI) and how frameworks and policy must treat it differently than human identity; the linkage between identity and secrets - specifically, in the context of NHI; and ultimately, what NHI implies for security governance and policies.

Part 1: Non-Human v Human Identity

Part 2: Identity and Secrets

Part 3: Policy Implications

Share this post
Policy and Architecture
Non-Human Identity (NHI)

Related posts

NHI Security, Part 3: Policy Implications
Identity & Access Management

NHI Security, Part 3: Policy Implications

Supplement your security policy with language specific to Non-Human Identities (NHI).
Darren Highfill
Darren Highfill
May 7, 2025
8 min read
NHI Security, Part 2: Identity and Secrets
Identity & Access Management

NHI Security, Part 2: Identity and Secrets

Authentication of Non-Human Identity (NHI) depends on secrets.
Darren Highfill
Darren Highfill
May 7, 2025
3 min read
NHI Security, Part 1: Non-Human versus Human Identity
Identity & Access Management

NHI Security, Part 1: Non-Human versus Human Identity

Securing Non-Human Identity (NHI) requires a different approach than human identity.
Darren Highfill
Darren Highfill
May 7, 2025
3 min read

Subscribe to our newsletter

Join our subscribers list to get the latest news, updates and special informations directly in your inbox.

By clicking Sign Up you're confirming that you agree with our Terms and Conditions.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.