A model where users control portable credentials and present them to applications for verification. Instead of one organisation holding all identity data, trust is distributed across issuers, wallets, and relying parties, which changes how access decisions, recovery, and account linking must be governed.
Expanded Definition
Decentralized identity is an identity model in which credentials are issued by trusted parties, stored in a user-controlled wallet, and presented to relying parties for verification. In practice, the term is used across wallet-based identity, verifiable credentials, and selective disclosure patterns, though definitions vary across vendors and no single standard governs this yet. The distinction from traditional federated identity is governance: the application no longer depends on one directory holding the full identity record, but instead validates claims from issuers and trust frameworks.
For NHI security, the model matters because non-human identities can also present portable credentials, not just people. That changes how service onboarding, recovery, revocation, and account linking are designed, especially when an NIST Cybersecurity Framework 2.0 control set is being mapped to decentralized trust flows. NHI Management Group documents the operational consequences of weak identity governance in the Ultimate Guide to NHIs, where identity sprawl and weak lifecycle control are recurring themes. The most common misapplication is treating decentralized identity as a privacy feature only, which occurs when teams deploy wallets without defining issuer trust, revocation, and recovery rules.
Examples and Use Cases
Implementing decentralized identity rigorously often introduces trust-governance complexity, requiring organisations to weigh portability and privacy against issuer coordination and support overhead.
- A contractor presents a verifiable credential from a background-check issuer, and the relying party verifies it without collecting extra personal data.
- An AI agent uses a wallet-backed credential to prove it is authorised to access a workflow tool, with policy tied to issuer trust and expiry rather than a central directory lookup.
- A partner platform accepts a portable membership credential, reducing repeated account creation while preserving selective disclosure for only the attributes required.
- A machine-to-machine service presents a signed credential during onboarding, then rotates or revokes that credential when the workload is retired, similar to the lifecycle discipline described in the Top 10 NHI Issues.
- A security team studies breach patterns such as the JetBrains GitHub plugin token exposure to understand how portable credentials can still fail when issuance, storage, or revocation is weak.
These use cases align with verifiable credential thinking in NIST Cybersecurity Framework 2.0, but the operational details still depend on local governance. NHI Management Group also explores adjacent identity failures in the 52 NHI Breaches Analysis, which is useful when evaluating whether a decentralized design actually reduces risk.
Why It Matters in NHI Security
Decentralized identity can improve portability, reduce central data concentration, and support finer-grained disclosure, but it can also create new failure modes if issuers, wallets, and relying parties do not share consistent trust assumptions. For NHI programs, the key question is not whether a credential is decentralized, but whether the organisation can still prove who issued it, who may use it, and how quickly it can be revoked. That is especially important because NHI Management Group reports that 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, and the broader Ultimate Guide to NHIs — What are Non-Human Identities shows how identity governance failures compound across the lifecycle.
When decentralization is poorly governed, teams often assume privacy-enhancing architecture has also solved authentication, access review, and recovery. It has not. The practical challenge is to connect decentralized credentials to enforceable policy, including rotation, attestation, and least privilege, while preserving trust boundaries across internal and third-party systems. Organ organisations typically encounter that problem only after a credential is lost, an issuer is disputed, or a workload cannot be recovered, at which point decentralized identity becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | AAL2 | Sets assurance expectations that help validate credential strength in wallet-based identity flows. |
| NIST Zero Trust (SP 800-207) | PL-2 | Zero Trust requires explicit verification, which decentralized identity must preserve across issuers and relying parties. |
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers secret and credential lifecycle risk that still applies when identities become portable. |
Govern issuance, storage, rotation, and revocation for non-human credentials in decentralized workflows.
