Data-in-motion is sensitive information while it is being transferred between systems, identities, or applications. For SaaS and AI programmes, the main concern is not only where data is stored, but which identities can move it, transform it, or expose it during transit.
Expanded Definition
Data-in-motion is information actively traversing networks, APIs, message buses, browser sessions, service meshes, and AI toolchains. In NHI and IAM programmes, the key question is not only whether the payload is encrypted, but which non-human identities can initiate, relay, inspect, transform, or replay it during transit. That makes the term broader than “network traffic” and more operational than “data in transit,” because it includes the identity context surrounding every hop.
Definitions vary across vendors when data-in-motion is discussed alongside transport security, application-layer inspection, and zero trust enforcement. Practitioners should align the term with controls that govern authentication, authorisation, telemetry, and cryptographic protection across transfers, especially where service accounts or AI agents broker data between systems. The NIST Cybersecurity Framework 2.0 is useful here because it ties protection to access control, monitoring, and resilience rather than transport alone.
The most common misapplication is treating encrypted transport as complete protection, which occurs when organisations ignore the identity and policy decisions made at each application and agent handoff.
Examples and Use Cases
Implementing data-in-motion rigorously often introduces inspection and routing constraints, requiring organisations to weigh latency and operational simplicity against visibility and control.
- An AI agent calls an internal retrieval API, and the response contains customer records that must be encrypted, logged, and authorised at each step.
- A CI/CD pipeline moves secrets and deployment artefacts between vaults, build systems, and runtime services, where service account misuse can expose the payload.
- A microservice forwards payment data through a message queue, requiring mutual authentication and policy enforcement on producers and consumers.
- A SaaS integration syncs records across tenants, and the transfer path must prevent overbroad access by third-party NHIs.
- During incident review, the team traces a breach pattern similar to the Schneider Electric credentials breach, where credentialed movement mattered as much as the stored data itself.
For organisations building agent workflows, the Ultimate Guide to NHIs — Key Research and Survey Results is a strong reference point because it frames transit risk as an identity problem, not just a network one.
Why It Matters in NHI Security
Data-in-motion is where compromised NHIs often turn from isolated credential issues into active exposure. If a service account, API key, or agent token can move data freely, an attacker does not need to break storage to extract value. They can intercept requests, alter outputs, replay sessions, or pivot through trusted integrations. That is why governance must cover encryption, token scope, short-lived access, mutual authentication, and auditability across every transfer path.
This matters especially in programmes that rely on automation, because agents and integration services often have broad execution authority. The NIST Cybersecurity Framework 2.0 supports this view by linking protection to access control and monitoring, while NHIMG research shows that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys. That statistic is especially relevant because transit paths are where those identities are most likely to be abused at scale.
Organisations typically encounter the operational impact only after a token is stolen, a pipeline is hijacked, or an agent leaks data during an investigation, at which point data-in-motion becomes unavoidable to contain.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Data-in-motion depends on secret handling and protected transfer paths for NHIs. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access applies to identities moving and transforming data in transit. |
| NIST Zero Trust (SP 800-207) | AC-4 | Zero trust treats each data transfer as a separately authorised action. |
Authenticate and authorise every hop that handles data-in-motion, not just the first connection.
