Multi-tenancy is the design pattern that keeps multiple customer organisations isolated inside one application. For identity teams, the key issue is whether access, policy, and administration remain separable at the tenant level, or whether customer boundaries leak into support, logging, and provisioning workflows.
Expanded Definition
Multi-tenancy is not just shared infrastructure; in identity and access management it is the segregation model that decides whether one customer can ever influence another customer’s access, policy, telemetry, or administrative plane. In NHI operations, the term matters because service accounts, API keys, automation agents, and secrets often span application layers that do not map neatly to tenant boundaries. Usage in the industry is still evolving, and definitions vary across vendors when they describe tenant isolation, especially where support staff, control planes, and background jobs share components.
For practitioners, the practical question is whether tenant-scoped policy, provisioning, and audit evidence remain separable under operational load. The NIST Cybersecurity Framework 2.0 is useful here because it reinforces governance around access control, continuous monitoring, and recovery expectations, even when an architecture is shared. In NHI programs, that means tenant metadata, secret boundaries, and admin roles must stay distinct from the workloads they serve. The most common misapplication is treating a logical customer label as isolation when shared tokens, logs, or provisioning queues still permit cross-tenant influence.
Examples and Use Cases
Implementing multi-tenancy rigorously often introduces operational overhead, requiring organisations to weigh stronger customer isolation against greater policy, logging, and support complexity.
- Separate tenant-scoped service accounts are created so automation can deploy resources in one customer environment without reusing credentials across others, reducing blast radius when a secret is exposed. This aligns with the visibility and lifecycle concerns highlighted in the Ultimate Guide to NHIs.
- Support teams use delegated administration with explicit tenant boundaries, so an operator can troubleshoot a case without gaining broad access to unrelated customer data. That pattern fits least-privilege expectations described in NIST Cybersecurity Framework 2.0.
- Logging pipelines tag every NHI action with tenant context, allowing security teams to prove which automation account changed which resource during an incident review.
- Secrets managers issue distinct credentials per tenant, rather than sharing one integration token across all customers, which reduces the chance that one compromise becomes a platform-wide event.
- CI/CD systems apply tenant-aware deployment rules so an agent or pipeline job can publish to the correct environment without cross-tenant write access.
Why It Matters in NHI Security
Multi-tenancy failures are especially dangerous in NHI environments because service identities often hold broad machine-to-machine access and can operate faster than human review cycles. When tenant boundaries blur, one leaked API key, one misrouted webhook, or one over-permissive agent credential can expose multiple customers at once. NHI governance depends on knowing where credentials live, who can rotate them, and whether admin tooling can see across tenants without creating a hidden privilege escalation path. The Ultimate Guide to NHIs notes that 97% of NHIs carry excessive privileges, which makes tenant isolation even more important because overprivileged identities amplify the impact of a boundary failure.
This is also why zero trust conversations matter. Shared control planes can be acceptable only when policy enforcement, secret handling, and audit trails remain tenant-specific and continuously verified, consistent with the NIST Cybersecurity Framework 2.0 and zero trust principles. Organisations typically encounter the real cost of poor multi-tenancy only after a support incident, secret leak, or cross-tenant audit finding forces them to unwind shared access paths they assumed were harmless.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Tenant-shared secrets and overbroad NHI access are core improper secret management risks. |
| NIST CSF 2.0 | PR.AC | Multi-tenancy depends on access control and monitoring staying tenant-scoped. |
| NIST Zero Trust (SP 800-207) | Zero Trust assumes every request is verified, which helps preserve tenant isolation. |
Separate secrets per tenant and review NHI scopes to prevent cross-customer exposure.
