Read-only by default means a system allows inspection and analysis before it permits any state-changing action. For agentic identity workflows, this is a core containment pattern because it prevents an AI assistant from silently altering users, keys, or authentication settings during discovery.
Expanded Definition
Read-only by default is a containment posture for NHI and agentic systems: the identity can inspect resources, query metadata, and evaluate context, but cannot change state until an explicit trust decision grants write scope. In practice, this separates discovery from execution and reduces the chance that an AI agent will create, rotate, revoke, or reconfigure credentials before its intent is validated.
For NHI governance, the term is closely related to least privilege, but it is narrower and more operational. Least privilege describes the end state of entitlement minimisation; read-only by default describes the starting state for every new workflow, session, or tool connection. That distinction matters when agents have access to IAM consoles, secret stores, CI/CD pipelines, or policy engines. The model is also consistent with the NIST Cybersecurity Framework 2.0 emphasis on limiting impact and managing access paths through controlled governance, not open-ended autonomy.
Industry usage is still evolving because vendors apply the label differently. Some mean “query-only,” while others allow safe simulation actions, dry runs, or policy previews. The most common misapplication is treating a read-only label as a UI setting while the underlying API token still has write permissions, which occurs when interface controls are not backed by enforceable credential scope.
Examples and Use Cases
Implementing read-only by default rigorously often introduces friction for automation teams, requiring organisations to balance faster investigation against the extra step of approving write access.
- An AI assistant can inventory service accounts, token age, and rotation status, but cannot disable a secret until a human approves the change.
- A security copilot can query vault posture and compare it against guidance in the Ultimate Guide to NHIs, while remaining unable to export credentials.
- A detection agent can read audit logs and IAM policy documents, but must pass through a gated workflow before modifying RBAC bindings or privilege grants.
- An operator uses a read-only role during incident triage to inspect API key exposure, then escalates to a separate approval path for revocation actions aligned with NIST Cybersecurity Framework 2.0.
- A sandboxed agent is permitted to simulate a secret rotation plan and show the expected blast radius, but not execute the rotation until policy checks succeed.
Used well, this pattern keeps analysis safe while preserving the option to act later. Used poorly, it creates a false sense of control because the system appears cautious even though the credentials behind it remain over-scoped.
Why It Matters in NHI Security
Read-only by default is a practical safeguard against accidental or adversarial state change during early-stage agent interactions. NHI environments fail quickly when tools that only needed visibility are granted write access, especially around secrets, service accounts, and authentication policy. That is why NHI Mgmt Group reports that 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, and why Ultimate Guide to NHIs is used as a governance baseline for understanding why containment must start before any privileged action is allowed.
This concept also supports Zero Trust style verification because visibility does not imply authority. A read-only-first pattern helps teams inspect identity state, detect misconfiguration, and prove intent before change. It is especially important when agents interface with secret managers, cloud IAM, and CI/CD systems, where a single mistaken write can cascade into broad compromise. Organisations typically encounter the cost of ignoring this pattern only after an agent has already changed a user, key, or policy during troubleshooting, at which point read-only by default becomes operationally unavoidable to restore control.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Read-only-first limits secret exposure and write-capable misuse during NHI discovery. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions should enforce least privilege and controlled authorization paths. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires continuous verification before any privileged action is allowed. |
Map agent and NHI access to least-privilege roles with separate approval for state-changing actions.
