The missing middle is the gap between identity provider authentication and final cloud or SaaS action. It is the place where posture tools, login logs, and infrastructure monitoring often lose visibility, even though the browser session can still be abused by a valid-looking identity.
Expanded Definition
The missing middle is the control gap between identity provider authentication and the final cloud or SaaS action. It describes the part of the request path where a browser session, token, or delegated workflow can remain valid even when posture checks, login telemetry, and infrastructure monitoring no longer show what the identity is doing.
In NHI security, the term matters because the identity proof at login is not the same as continuous authorization at action time. The session may have been created by a legitimate user, service account, or AI agent, but the later use of that session can diverge from the original trust decision. This is why guidance in the NIST Cybersecurity Framework 2.0 must be paired with identity-level telemetry and application-level enforcement. Definitions vary across vendors, but the operational meaning is consistent: visibility breaks between “who authenticated” and “what actually happened next.”
For non-human identities, the missing middle often includes delegated OAuth consent, browser automation, API calls issued through a session, and chained tool execution. The most common misapplication is treating successful authentication as proof of safe behaviour, which occurs when teams stop monitoring after the login event.
Examples and Use Cases
Implementing missing-middle visibility rigorously often introduces telemetry, correlation, and policy complexity, requiring organisations to weigh stronger assurance against added engineering and data-normalisation cost.
- A service account signs in through a valid browser session, then uses a SaaS export function that is never inspected by posture tooling.
- An AI agent receives delegated access through a human-approved session, but later invokes a sensitive admin action after the approving user has lost context.
- An OAuth token remains active after login, allowing an application to read or write data long after the original authentication event.
- A contractor’s session passes MFA, but the subsequent cloud console actions are only visible in the SaaS audit log, not the identity provider.
- Posture tooling confirms the device is compliant at sign-in, yet the browser session is later abused from a different workflow stage without triggering a new login.
This is why NHI-focused guidance in the Ultimate Guide to NHIs is so relevant to session governance, and why standards such as NIST Cybersecurity Framework 2.0 must be translated into action-level controls rather than login-only reporting.
The practical use cases are usually detection-oriented: stitching together identity provider logs, SaaS audit trails, browser events, and API activity to determine whether the authenticated entity still deserves trust at the moment of action.
Why It Matters in NHI Security
The missing middle is where many NHI incidents become visible only after damage has already occurred. A valid token, session cookie, or delegated grant can be abused without generating a new authentication event, which means conventional controls may miss privilege escalation, data extraction, or AI agent misuse. NHI Management Group reports that only 5.7% of organisations have full visibility into their service accounts, a useful indicator of how often the middle of the request path remains opaque.
For security and governance teams, the issue is not just logging volume. It is whether identity assurance, authorization, and action traceability are connected across the entire lifecycle of the session. The Ultimate Guide to NHIs frames this as a visibility and governance problem, not merely a monitoring problem. When the missing middle is ignored, incident response tends to start from symptoms rather than root cause, and the attacker’s path is reconstructed too late.
Organisations typically encounter the missing middle only after a suspicious session, anomalous data access, or compromised NHI workflow is investigated, at which point the term becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | DE.CM | Missing-middle gaps are detected through continuous monitoring across identity and application activity. |
| OWASP Non-Human Identity Top 10 | NHI-06 | The term maps to visibility failures in NHI session and action monitoring. |
| NIST Zero Trust (SP 800-207) | PA | Zero Trust requires policy decisions at each request, not only at initial authentication. |
Correlate login, session, and action telemetry so post-authentication abuse is visible and triageable.
