Protocol mediation is the use of an access layer that terminates one side of a session and relays approved actions to the target system. In industrial environments, it allows security policy to sit between the user and the asset, but it also creates a control point that must be audited and protected.
Expanded Definition
Protocol mediation is an access pattern where a controlling layer terminates a client session, interprets the request, and relays only approved actions to the downstream system. In NHI and industrial control environments, this pattern is often used to place policy, inspection, and logging between an agent or operator and a sensitive asset, rather than allowing direct connectivity. It differs from simple network forwarding because the intermediary can validate commands, normalize protocol behavior, and enforce context-aware restrictions before anything reaches the target.
Usage in the industry is still evolving. Some teams treat protocol mediation as a gateway function, while others implement it as a broker, proxy, or session controller. The security value is real, but the design must be explicit about what is being mediated: commands, sessions, credentials, or full protocol states. For governance context, the NIST Cybersecurity Framework 2.0 is helpful for mapping this control to access oversight and monitoring outcomes. The most common misapplication is assuming a generic reverse proxy is true protocol mediation, which occurs when the layer relays traffic without validating the action semantics or preserving audit evidence.
Examples and Use Cases
Implementing protocol mediation rigorously often introduces latency and operational complexity, requiring organisations to weigh tighter control and safer command execution against troubleshooting overhead and protocol compatibility constraints.
- A manufacturing engineer connects to a PLC through a mediation layer that allows only pre-approved commands and records each session for later review, reducing direct exposure of the asset.
- An agentic workflow sends requests to a database through a policy gateway that strips unsafe operations and enforces read-only behavior for routine analytics tasks.
- A remote vendor session is mediated so that credentials never reach the target system directly, which helps contain risk when third-party access is unavoidable. For incident context, see the Schneider Electric credentials breach.
- A service account authenticates to an API through a broker that logs every request and blocks unknown endpoints, aligning protocol use with policy rather than trusting the caller blindly.
- In high-value environments, mediation is paired with Zero Trust principles and tool-specific authorization checks, often borrowing control language from the NIST Cybersecurity Framework 2.0.
NHIMG research on the New York Times breach shows how identity exposure can become an operational problem when access paths are not tightly mediated and reviewed.
Why It Matters in NHI Security
Protocol mediation matters because it converts raw connectivity into a governed control point for NHI activity. Without it, service accounts, API keys, and agent sessions can interact with targets directly, making it harder to enforce least privilege, detect misuse, or separate approved automation from unsafe behavior. In NHI environments, that direct path is especially dangerous because machine identities often outnumber human identities by 25x to 50x, and unmanaged access paths multiply the blast radius of compromise. NHIMG reports that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, which is why mediation is not just an architecture choice but a containment strategy tied to real breach patterns.
Protocol mediation also supports auditability after the fact. When every session is brokered, investigators can reconstruct what was attempted, what was blocked, and which policy decision allowed or denied the action. That becomes critical after secrets leakage, lateral movement, or unsafe agent behavior. The Ultimate Guide to NHIs and the broader NHI Mgmt Group research emphasize that visibility and lifecycle control are foundational, not optional. Organisations typically encounter protocol mediation as an urgent requirement only after a privileged session is abused or a target system is exposed, at which point the intermediary becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Protocol mediation helps contain secret exposure and session abuse at the access layer. |
| NIST CSF 2.0 | PR.AC-4 | Mediated access supports least privilege and controlled authorization decisions. |
| NIST Zero Trust (SP 800-207) | SC-3 | Zero Trust favors policy enforcement between requester and resource rather than implicit trust. |
Place policy checks in front of target systems and avoid direct trust in sessions.
Related resources from NHI Mgmt Group
- What is the Model Context Protocol (MCP) and why does it matter for security?
- How should security teams govern AI agents that use Model Context Protocol?
- Why does Model Context Protocol create identity risk for enterprises?
- When does agentless access control make more sense than proxy-based mediation?
