Business Glossary

A business glossary is the authoritative vocabulary for enterprise terms. It defines what words mean, who owns them, and how they relate to one another, but it does not by itself connect those definitions to live systems or execution logic.

Expanded Definition

A business glossary is the enterprise-controlled vocabulary for business terms, definitions, ownership, and relationships. In data governance and NHI operations, it gives teams a shared language so that “service account,” “credential,” “secret,” or “rotation window” mean the same thing across security, engineering, audit, and operations.

Unlike a data catalog or policy repository, a glossary is about meaning and accountability rather than execution. It can clarify who owns a term, which systems or processes depend on it, and how related terms should be interpreted. That makes it especially useful where NHI governance crosses organisational boundaries and where ambiguity causes inconsistent control application. Definitions vary across vendors, so no single standard governs this yet; the practical test is whether the glossary is authoritative enough to resolve disputes and support downstream policy decisions, as reflected in the NIST Cybersecurity Framework 2.0 emphasis on governance and shared responsibility.

The most common misapplication is treating a glossary as a live control system, which occurs when teams assume a definition alone enforces rotation, access review, or offboarding.

Examples and Use Cases

Implementing a business glossary rigorously often introduces governance overhead, requiring organisations to weigh consistent terminology against the effort of maintaining approvals and ownership.

• An IAM team defines “service account” once, then maps it to standard handling rules for provisioning, review, and retirement across environments.
• A security programme uses the glossary to distinguish “secret,” “token,” and “certificate,” reducing confusion in incident response and audit evidence.
• A data platform team links glossary terms to operational documentation so analysts and engineers use the same language when describing access patterns.
• The Ultimate Guide to NHIs is useful when glossary terms need to reflect NHI lifecycle issues such as visibility, rotation, offboarding, and least privilege.
• Governance owners align glossary entries with the NIST Cybersecurity Framework 2.0 so that business terminology maps cleanly to policy, risk, and control language.

Why It Matters in NHI Security

Business glossary discipline matters because NHI failures often begin with language problems: teams call the same object by different names, ownership is unclear, and critical controls get applied inconsistently. When that happens, a secret may be left untracked, an API key may be exempted from rotation, or an integration owner may not be identified during offboarding. NHIMG research shows that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, and 96% of organisations store secrets outside secrets managers in vulnerable locations, according to the Ultimate Guide to NHIs.

For NHI governance, a glossary becomes the control plane for language, not the control itself. It helps determine whether a term refers to a credential, an actor, a workload, or a lifecycle event, which then drives the right policy and evidence set. That clarity supports better alignment with the NIST Cybersecurity Framework 2.0 and reduces disputes during review cycles. Organisations typically encounter the cost of a weak glossary only after an incident reveals that no one agreed on who owned the identity, at which point terminology becomes operationally unavoidable to address.

Related resources from NHI Mgmt Group

• How do I build the business case for NHI security investment?
• How should security teams make NHI best practices usable across the business?
• When does a leaked secret become a major business risk?
• How should security teams measure the business value of identity security?