Executor accounting

A governance approach that focuses on the identity actually performing an action, not just the application or user interface involved. For agentic environments, it means tracking which AI agent is active, what authority it inherited, and where that authority reaches.

Expanded Definition

Executor accounting is the practice of attributing each action to the specific identity that executed it, rather than stopping at the application, dashboard, or human operator that initiated the workflow. In NHI security, that distinction matters because the executor is often an AI agent, service account, workload identity, or delegated token chain with its own permissions and limits.

In agentic systems, executor accounting tracks which agent was active, which credentials or grants it inherited, and which downstream systems it could reach at that moment. This is closely aligned with the visibility and governance principles described in the Ultimate Guide to NHIs, and it complements the accountability expectations in NIST Cybersecurity Framework 2.0. Definitions vary across vendors, especially where agent orchestration layers blur the line between request origin, runtime executor, and delegated authority. The most common misapplication is logging the user request while omitting the actual workload identity that performed the privileged action, which occurs when telemetry is tied to the front-end session instead of the executing NHI.

Examples and Use Cases

Implementing executor accounting rigorously often introduces correlation overhead, requiring organisations to weigh better incident attribution against additional telemetry, log storage, and identity plumbing.

• An AI coding agent creates a pull request using a short-lived token. Executor accounting records the agent identity, token scope, and repository permissions, not just the developer who approved the prompt.
• A CI/CD pipeline deploys a container image after assuming a federated workload identity. The record should show the exact executor, the inherited role, and the environment reached, especially when reviewing exposures highlighted in the Ultimate Guide to NHIs.
• A customer-support chatbot invokes a ticketing API and updates payment-related metadata. Executor accounting helps distinguish a harmless conversational flow from a privileged backend write action governed by NIST Cybersecurity Framework 2.0 control expectations.
• A scheduled data-sync job fails over to a backup service account. Proper accounting preserves the identity chain so investigators can see which executor touched which dataset and when.

Why It Matters in NHI Security

Executor accounting is essential because NHI incidents rarely stay confined to the point of origin. When an agent, workload, or service account acts with inherited authority, weak attribution can hide privilege abuse, mask lateral movement, and delay revocation decisions. That delay matters in a domain where only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.

Without executor-level records, responders may know that an API was called but not which identity made the call, which scopes were active, or whether the action came from a trusted agent, a compromised token, or an unintended delegation chain. That gap also weakens governance under identity-centric frameworks such as NIST Cybersecurity Framework 2.0, because detection and response depend on trustworthy attribution. Organisations typically encounter the cost of missing executor accounting only after an investigation stalls, at which point the term becomes operationally unavoidable to address.