An authorisation approach that changes access decisions based on context such as device posture, location, or session risk. Unlike static role-based rules, it can step up, limit, or deny access as conditions shift during the session.
Expanded Definition
Dynamic Access Policy is a context-aware authorisation pattern used to adjust NHI access in real time. Rather than relying only on a fixed RBAC assignment, the policy engine evaluates signals such as device posture, source network, geolocation, workload identity, and session risk before allowing, limiting, or stepping up access. In practice, this sits inside a broader Zero Trust model and is often paired with PAM, JIT, and ZSP controls. Definitions vary across vendors, and no single standard governs this yet, but the operational idea is consistent: privilege should track current risk, not just assigned role. NIST’s NIST Cybersecurity Framework 2.0 supports this risk-based approach by emphasizing continuous governance, protection, and response. For NHI teams, the policy must also account for machine-to-machine trust, token lifetime, and secret exposure, not only human login behaviour. The most common misapplication is treating dynamic policy as a one-time conditional login gate, which occurs when organisations evaluate context at authentication but never re-evaluate it during an active session.
Examples and Use Cases
Implementing Dynamic Access Policy rigorously often introduces latency and policy complexity, requiring organisations to weigh tighter control against more frequent access interruptions.
- A service account is allowed to call production APIs only when the workload is running from an approved cluster and the session token is newly issued.
- An AI Agent receives read-only access by default, then is stepped up to a narrow write permission only after a human approval and a low-risk session score.
- A secrets retrieval request is denied when the requesting host fails posture checks, then approved once the device is remediated and re-attested.
- An admin session is reduced to view-only access when the request originates outside the corporate region or during anomalous hours.
- An entitlement review uses guidance from the Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs and the OWASP Non-Human Identity Top 10 to ensure access changes follow identity lifecycle events, not just ticket closure.
These scenarios show why the policy is especially valuable for NHIs exposed to ephemeral infrastructure, third-party workflows, and highly privileged automation. It is most effective when access decisions are refreshed continuously and documented clearly for auditability.
Why It Matters in NHI Security
Dynamic Access Policy matters because NHI compromise often begins with static, overbroad privilege that remains usable long after the original context has changed. NHI Mgmt Group’s Ultimate Guide to NHIs reports that 97% of NHIs carry excessive privileges, which makes context-sensitive enforcement a practical defense against lateral movement and credential abuse. The same risk lens appears in the Top 10 NHI Issues, where weak visibility and poor lifecycle control repeatedly amplify exposure. For governance teams, dynamic policy helps turn broad standing access into bounded access that can be narrowed when posture degrades, secrets are suspected to leak, or an agent behaves unexpectedly. It also supports better alignment with Zero Trust Architecture and with the operational expectations described in the Ultimate Guide to NHIs — Regulatory and Audit Perspectives. Organisations typically encounter the need for dynamic access only after a service account is abused, at which point the policy becomes operationally unavoidable to contain the incident.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST Zero Trust (SP 800-207) | Section 2.1 | Zero Trust requires continuous verification, which is the core logic behind dynamic access decisions. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Context-aware authorization helps reduce excessive privilege and standing access for NHIs. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions should be managed and enforced based on risk, not static assignment alone. |
Use dynamic policy to constrain NHI permissions to the minimum needed for each session.
