A current inventory of identities, roles, entitlements, and effective permissions across environments. In Zero Trust, it is the starting point for deciding what should be trusted, reduced, or continuously verified, because controls cannot govern access that has not been discovered.
Expanded Definition
An identity baseline is the current, evidence-backed snapshot of identities, roles, entitlements, and effective permissions across environments. In NHI programs, it covers service accounts, workload identities, API keys, certificates, and the trust relationships that let software act. It is the operational starting point for decisions about least privilege, segregation of duties, and continuous verification.
Definitions vary across vendors on whether the baseline is a one-time inventory, a continuously updated graph, or a governed control state. NHI Management Group treats it as a living reference point, because permissions drift, secrets rotate, and deployments create new identities faster than manual review can keep up. That makes the baseline more than a list; it is the benchmark used to detect excess access and gaps in ownership. The NIST Cybersecurity Framework 2.0 aligns with this posture by emphasizing asset visibility, access governance, and ongoing risk management.
The most common misapplication is treating the identity baseline as a static export, which occurs when teams freeze access data after a migration or audit and then assume it still reflects reality.
Examples and Use Cases
Implementing an identity baseline rigorously often introduces discovery and reconciliation overhead, requiring organisations to weigh faster access reviews against the cost of maintaining accurate, continuously refreshed data.
- A cloud security team builds a baseline of service accounts, attached policies, and last-used timestamps before tightening permissions in production.
- A platform team compares CI/CD tokens against the baseline to find stale credentials that survived a pipeline refactor.
- An incident responder uses the baseline to separate expected machine access from suspicious privilege escalation after a leaked secret is detected in code.
- A governance team validates baseline accuracy against the patterns described in the Ultimate Guide to NHIs and then maps exceptions to change tickets.
- A Zero Trust program uses the baseline to decide which identities should be reduced, continuously verified, or moved to just-in-time access. The OWASP Top 10 guidance is useful context when the baseline includes agentic or tool-using software.
Why It Matters in NHI Security
Identity baselines matter because NHI risk usually begins with unknown access, not with a dramatic compromise. If an organisation cannot see which service accounts exist, where secrets are stored, or which permissions are actually in use, it cannot enforce least privilege or prove that access was removed after role changes. NHI Management Group data shows the scale of the problem: only 5.7% of organisations have full visibility into their service accounts, and 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
That is why the baseline is central to breach prevention, cloud governance, and audit readiness. It also gives defenders a way to prioritise remediation: the same baseline that supports steady-state governance can expose emergency conditions after exposure events, third-party integrations, or untracked automation. The Top 10 NHI Issues discussion and the 52 NHI Breaches Analysis both show how unmanaged identity sprawl turns into incident response drag. Organisations typically encounter the need for an identity baseline only after a secret leak, an access review failure, or an investigation into unexplained privileged activity, at which point it becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Identity baselines are the foundation for discovering and governing NHIs and their access paths. |
| NIST CSF 2.0 | ID.AM | Asset management includes discovering identities, permissions, and relationships needed for baseline accuracy. |
| NIST Zero Trust (SP 800-207) | PL-2 | Zero Trust planning depends on knowing what identities exist and what they can reach. |
Build and continuously refresh the NHI inventory before granting, reviewing, or revoking access.
