Division is the device identity failure mode where one endpoint produces multiple identifiers across sessions, browsers, or network contexts. It breaks correlation and can let malicious activity evade controls that depend on a stable device history across time.
Expanded Definition
Division is the device identity failure mode in which one endpoint presents multiple identifiers across sessions, browsers, apps, or network contexts. In NHI security, that breaks continuity of device history and weakens controls that depend on stable correlation, such as anomaly detection, step-up verification, and policy enforcement tied to a known endpoint.
Definitions vary across vendors because some products treat division as a privacy-preserving artifact, while others treat it as an integrity problem that can be exploited. NHI Management Group treats it as a security-relevant identity instability issue when the same device cannot be reliably recognised over time. That distinction matters because device identity is often part of the trust signal set used in NIST Cybersecurity Framework 2.0-style governance and in broader device posture decisions. It also intersects with how organisations think about service access, browser-based agents, and automated workloads that rely on persistent context rather than a single login event.
When division appears, investigators may see one endpoint as several unrelated entities, which can fragment logs, hide lateral movement, and make revocation decisions incomplete. The most common misapplication is treating division as harmless identifier churn, which occurs when teams ignore repeated context changes from the same endpoint and lose the ability to correlate activity across sessions.
Examples and Use Cases
Implementing identity correlation rigorously often introduces user-friction and engineering overhead, requiring organisations to balance stronger detection against legitimate device changes such as browser resets, VPN shifts, or privacy controls.
- A contractor’s laptop appears as a new device every time the browser profile is recreated, so access reviews never connect the sessions to one endpoint.
- A headless automation agent changes network context after each run, causing the security platform to treat every execution as a different device.
- A mobile workforce uses privacy settings that suppress stable browser signals, which creates fragmented device histories across SaaS applications.
- An attacker clears local storage and rotates network paths to make a compromised endpoint appear unfamiliar during control evaluation.
- Security teams compare these patterns against identity governance guidance in the Ultimate Guide to NHIs and correlate them with device and access telemetry using the NIST Cybersecurity Framework 2.0.
These examples matter because division is often discovered only when analysts try to reconstruct a timeline and find that the same endpoint has been split into multiple identities.
Why It Matters in NHI Security
Division matters because NHI security depends on trust decisions that are stable enough to detect abuse, enforce privilege boundaries, and support incident response. If a device cannot be correlated consistently, defenders may miss compromised access paths, duplicate approvals, or abnormal tool use that spans multiple sessions. That failure is especially dangerous in environments where endpoints are used as gatekeepers for service accounts, secrets retrieval, or administrative workflows. The NHI Management Group notes that only 5.7% of organisations have full visibility into their service accounts, a reminder that visibility gaps compound quickly when identity signals are already fragmented, as discussed in the Ultimate Guide to NHIs.
Division also complicates governance because teams may over-trust a familiar device label while missing the fact that the underlying endpoint has changed context in ways that reset risk scoring. In practice, this can delay containment, distort audit trails, and weaken Zero Trust enforcement when device state is used as part of access policy. Organisations typically encounter the consequence only after an incident review reveals that multiple “different” devices were actually the same compromised endpoint, at which point division becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Device identity instability affects how NHI discovery and correlation controls are applied. |
| NIST CSF 2.0 | PR.AA-01 | Identity and authentication assurance relies on consistent device recognition and access context. |
| NIST Zero Trust (SP 800-207) | JIT access context | Zero Trust decisions depend on trustworthy device context; division undermines that context. |
Correlate device signals before granting access and investigate repeated identity churn as a risk event.
