A control behaviour that blocks access when the authorisation system cannot be reached or cannot make a decision. In agentic environments this is critical because allowing requests during policy outages can turn a temporary control failure into unsupervised model or tool access.
Expanded Definition
Fail-closed enforcement is a control pattern that denies access when a policy engine, authorisation service, or decision point cannot be reached or cannot return a trustworthy answer. In NHI and agentic AI systems, this means the safer default is no tool use, no token issuance, and no privilege escalation until control state is restored.
That distinction matters because it separates resilience from permissiveness. A system may remain available while still refusing to execute high-risk actions, which aligns with NIST Cybersecurity Framework 2.0 principles around protecting access paths and limiting blast radius. In practice, fail-closed enforcement is most relevant where an AI agent can call APIs, retrieve secrets, or request delegated credentials through a policy gate. Definitions vary across vendors when they describe degraded-mode behavior, so the key question is whether denial is automatic when policy state is uncertain. The concept is often paired with zero standing privilege, but it is not the same thing: ZSP governs baseline privilege, while fail-closed governs what happens when the control plane itself is unavailable.
The most common misapplication is treating “service degradation” as a reason to allow tool access, which occurs when teams prioritize continuity over authorization integrity during policy outages.
Examples and Use Cases
Implementing fail-closed enforcement rigorously often introduces availability pressure, requiring organisations to weigh operational continuity against the risk of unsupervised execution when the decision layer is unavailable.
- An AI support agent cannot reach the policy service, so it is prevented from sending emails or modifying tickets until policy evaluation resumes.
- A workload requests a short-lived secret, but the secrets broker is down, so issuance is blocked rather than falling back to cached broad access.
- An agentic workflow attempts a privileged database action, yet the approval engine times out; the request is denied instead of being retried with implicit trust.
- During incident response, a degraded identity service prevents new session creation until administrators verify the trust chain, reducing lateral movement opportunities.
- After a compromise review such as the LLMjacking: How Attackers Hijack AI Using Compromised NHIs findings, teams often tighten policy paths so that absent authorization cannot become accidental authorization.
These controls are commonly discussed alongside external guidance such as the NIST Cybersecurity Framework 2.0, especially where availability and access control intersect. The same logic applies to secret handling failures documented in the State of Secrets in AppSec, where fallback behavior can expand exposure instead of containing it.
Why It Matters in NHI Security
Fail-closed enforcement is one of the clearest ways to prevent a temporary control outage from becoming a standing authorization bypass. When non-human identities can act on behalf of systems, humans, or applications, any “allow on error” behavior creates a path for tool abuse, secret theft, or unintended model autonomy. NHIMG research on exposed credentials shows how quickly attackers move when trust boundaries weaken, with AWS credentials sometimes targeted within minutes of exposure, which underscores how little time exists to recover from permissive fallback behavior.
This is especially important for environments that rely on central policy engines, token brokers, or external decision services. If those components fail open, the system may continue operating with stale decisions, expired approvals, or unaudited privilege. That risk is amplified in cases like the DeepSeek breach, where exposed data and credentials can turn an authorization lapse into broader compromise. Fail-closed enforcement also supports the intent of the NIST Cybersecurity Framework 2.0 by preserving control integrity under failure conditions.
Organisations typically encounter the cost of weak fail-closed behavior only after an outage, at which point unauthorized agent actions and credential misuse make the missing control impossible to ignore.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers secret and credential misuse that fail-open behavior can expose. |
| NIST CSF 2.0 | PR.AC-3 | Access control should enforce authorized access even during service disruption. |
| NIST Zero Trust (SP 800-207) | SC-2 | Zero Trust requires explicit verification rather than implicit trust on failure. |
Block agent access when policy checks fail so credentials are never used without an active authorization decision.
