A grant is the relationship that shows which principal has which entitlement on which resource. It is the most governance-relevant unit of access because it connects identity, permission, and target system in one auditable record. Without reliable grants, access reviews become partial and remediation becomes guesswork.
Expanded Definition
A grant is the auditable access relationship that binds a principal to a specific entitlement on a specific resource. In NHI environments, that can mean a workload identity holding permission to read one secret, call one API, or assume one role, rather than a vague description of “can access system X.” This distinction matters because grants are the operational evidence used to prove least privilege, detect privilege drift, and support access review. NHI Management Group treats grants as the governance unit that turns identity data into actionable control, especially when service accounts, tokens, and agent permissions are involved. For broader access governance, grants should also be mapped to policy intent and not just technical rights, as reflected in the NIST Cybersecurity Framework 2.0. Definitions vary across vendors when entitlement, role, and effective permission are blended together, so teams should be explicit about whether they mean a direct grant, an inherited grant, or an effective grant produced by policy evaluation. The most common misapplication is treating a role assignment as the grant itself, which occurs when inherited permissions are not separated from directly assigned access.
Examples and Use Cases
Implementing grants rigorously often introduces modeling and review overhead, requiring organisations to weigh precise visibility against the cost of maintaining accurate entitlement data.
- A CI/CD service account is granted read access to a single secrets vault path, allowing auditors to verify exactly which secret scope is exposed.
- An AI agent receives a time-bounded grant to invoke one internal tool, while the surrounding platform enforces NIST Cybersecurity Framework 2.0 access principles for review and monitoring.
- A cloud workload identity is granted permission to assume a production role only during deployment windows, reducing standing access outside the change period.
- During access recertification, the security team compares the stored grants for a service account against the Ultimate Guide to NHIs guidance on lifecycle control and revocation.
- A third-party integration is given a narrowly scoped grant to query one dataset instead of broad tenant-level access, limiting blast radius if the integration is compromised.
Why It Matters in NHI Security
Grants are where NHI risk becomes measurable. If an organisation cannot see the exact relationship between principal, entitlement, and resource, it cannot reliably answer who can do what, where, and under which conditions. That visibility gap is not theoretical: NHI Management Group reports that only 5.7% of organisations have full visibility into their service accounts in the Ultimate Guide to NHIs, which means most access decisions are being made with incomplete grant data. Weak grant governance also makes secret exposure harder to contain, because revoked credentials may still retain effective access through stale entitlements or inherited permissions. In practice, grant hygiene supports Zero Trust, least privilege, incident response, and offboarding by making access revocation concrete rather than symbolic. It also helps distinguish a genuine control failure from a documentation problem when teams investigate misuse. Organisations typically encounter grant complexity only after a breach review, when remediation, attribution, and re-certification all become operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Grants express least-privilege entitlements and inherited access in NHI governance. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions must be managed and reviewed as part of identity governance. |
| NIST Zero Trust (SP 800-207) | AC-3 | Zero Trust relies on explicit, policy-evaluated access decisions for each grant. |
Inventory every NHI grant and remove any entitlement that is not explicitly justified.
