A governed layer that defines business meaning for data, such as what counts as a customer, order, or approved source. When semantic models are wrong or inconsistent, AI can produce outputs that are technically valid but operationally misleading.
Expanded Definition
A semantic model is the governed translation layer that assigns business meaning to data so people and AI systems interpret terms consistently. It defines entities, metrics, approved sources, and relationships such as customer, order, subscription, or trusted service account.
In NHI and agentic AI environments, semantic models matter because tool-using agents do not just need access to data, they need an agreed interpretation of that data. Without that layer, an agent may query the right table or API and still produce a misleading answer because the underlying definitions conflict across teams or systems. That makes semantic modelling different from data modelling alone, which focuses on structure, while semantic modelling focuses on governed meaning and decision readiness. Guidance from the NIST Cybersecurity Framework 2.0 reinforces that governance and trusted context are essential to resilient decision-making, even when the framework does not prescribe semantic models directly. Definitions vary across vendors, and no single standard governs this yet, so implementation details often depend on the BI, AI, or data governance stack in use.
The most common misapplication is treating a semantic model as a reporting convenience, which occurs when teams publish metrics without governing source definitions, lineage, or approval rules.
Examples and Use Cases
Implementing semantic models rigorously often introduces governance overhead, requiring organisations to weigh faster self-service analytics against tighter control over business meaning.
- A revenue dashboard uses one governed definition of “booked order” instead of letting finance, sales, and operations calculate it differently.
- An AI assistant queries customer support data through a semantic layer so “active customer” always maps to the approved policy definition, not an ad hoc query result.
- A procurement workflow uses a semantic model to distinguish approved supplier records from duplicate vendor entries before an agent can trigger payment actions.
- Identity telemetry is normalised so a service account, API key, and workload identity are classified consistently before automated risk scoring is applied.
For NHI programs, the same discipline appears in the Ultimate Guide to NHIs, which emphasises governance, visibility, and lifecycle control as prerequisites for reliable identity operations. In practice, a semantic model can also help agents interpret whether a token is “approved,” “active,” or “expired” before taking action. When organisations align these meanings with external control expectations such as NIST Cybersecurity Framework 2.0, they reduce the chance that automation will make decisions on inconsistent labels.
Why It Matters in NHI Security
Semantic models become security relevant when agents, automations, and analysts rely on them to decide what is trustworthy, current, or authorised. If the model mislabels a source, an ownership field, or a lifecycle state, downstream controls can fail even when authentication and access rules are technically correct. That is especially dangerous in NHI programs, where an API key, workload identity, or service account may be used across multiple systems with different naming conventions and approval states.
The risk is not abstract: the Ultimate Guide to NHIs reports that only 5.7% of organisations have full visibility into their service accounts, a gap that makes inconsistent meaning and incomplete inventory reinforce each other. When a semantic model is weak, security teams may believe they are reviewing all active identities while actually missing shadow accounts, stale credentials, or unapproved data sources. That can distort risk scoring, incident triage, and remediation priorities. Organisationally, this becomes visible after an incident review reveals that the system made the right technical query against the wrong business definition, at which point the semantic model becomes operationally unavoidable to fix.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OV-01 | Semantic models support governed, consistent interpretation of data used for oversight and decisions. |
| OWASP Agentic AI Top 10 | Agentic systems depend on accurate context and tool interpretation to avoid misleading outputs. | |
| OWASP Non-Human Identity Top 10 | NHI-01 | NHI governance depends on reliable identity and source semantics for inventory and lifecycle control. |
Govern approved business meanings and review them so analytics and automation use the same trusted definitions.
