The dimmer switch model is a graded containment approach for AI agents and other non-human identities. Instead of an all-or-nothing shutdown, access is reduced in stages so the organisation can keep critical workflows moving while narrowing risk and documenting each control change.
Expanded Definition
The dimmer switch model is a containment strategy for NHI and agentic AI operations that replaces binary access decisions with stepwise restriction. It is used when an AI agent, service account, or other non-human identity still needs to function, but its permissions, network reach, or tool access must be narrowed after a risk signal.
In practice, the model sits between normal operations and full revocation. That makes it different from blunt shutdown approaches and from simple NIST Cybersecurity Framework 2.0 safeguards that assume static access states. For NHI governance, the key idea is proportional control: reduce privilege, shorten credential life, disable sensitive endpoints, and preserve auditability while the organisation investigates. Definitions vary across vendors, but the operational pattern is consistent across mature identity programs and aligns with the lifecycle and containment themes in the Ultimate Guide to NHIs.
The most common misapplication is treating a dimmer switch action as a permanent access policy, which occurs when incident responders reduce access without a plan to restore or fully retire the identity.
Examples and Use Cases
Implementing the dimmer switch model rigorously often introduces operational friction, requiring organisations to weigh service continuity against the administrative cost of staged control changes.
- An AI agent begins making unusual tool calls, so the team removes write privileges first, then blocks external integrations if the behaviour persists.
- A CI/CD service account is suspected of credential exposure, so its token is shortened, its deployment scope is narrowed, and only release pipelines remain active.
- A third-party NHI shows anomalous access patterns, so the organisation applies read-only access while it validates the vendor relationship and rotates secrets.
- An internal automation bot is overprivileged, so its role is trimmed in phases to keep reporting jobs running while privileged actions are isolated.
- A response team uses the model after aligning the containment plan to NHIMG guidance on NHI lifecycle management and cross-checks the identity’s risk path against NIST Cybersecurity Framework 2.0 categories for access control and recovery.
In mature environments, this model is also used for JIT-style access reduction, where an identity is not simply denied or allowed but progressively narrowed as confidence drops.
Why It Matters in NHI Security
The dimmer switch model matters because NHIs often support production workflows, and a full shutdown can create outages, failed jobs, or broken customer journeys. When organisations cannot see exactly which service account, API key, or agent path is affected, staged containment becomes the safer way to limit blast radius without losing all automation. That need is amplified by NHIMG research showing that only 5.7% of organisations have full visibility into their service accounts, while 97% of NHIs carry excessive privileges, making gradual restriction far more practical than immediate blanket revocation. Those conditions are documented in the Ultimate Guide to NHIs.
For governance teams, the model creates a recordable decision path: what was reduced, why it was reduced, who approved it, and what restored trust later. That is especially important when responding under pressure, because a staged approach can show restraint while still preserving security evidence and service continuity.
Organisations typically encounter the need for this model only after an identity incident, at which point controlled reduction becomes operationally unavoidable to keep critical workflows alive while the investigation proceeds.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Narrowing permissions and secrets access is central to NHI containment and secret management. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access and access modification directly support staged containment decisions. |
| NIST Zero Trust (SP 800-207) | SC-7 | Zero Trust segmentation and controlled access restriction align with stepwise containment. |
Apply progressive access reduction while preserving only the minimum functions required for continuity.
