The expected pattern of activity for an identity while it is operating in production. It goes beyond entitlement lists by comparing actual actions, timing, and access paths, which is critical when valid credentials can still be abused.
Expanded Definition
runtime behaviour Baseline is the expected production pattern for a Non-Human Identity, including when it runs, which services it reaches, which APIs it calls, and how it authenticates. It is more dynamic than an entitlement review because it measures what the identity actually does, not only what it is allowed to do. In practice, this baseline helps security teams distinguish ordinary automation from anomalous execution that may signal abuse of a valid service account, token, or API key. That distinction matters because the credential may still be valid even when the behaviour is clearly unsafe.
Definitions vary across vendors on how much history is needed to establish the baseline, how frequently it should be recalculated, and whether it should include seasonal or deployment-driven changes. For a governance-oriented view, NIST Cybersecurity Framework 2.0 emphasizes continuous monitoring and anomaly detection as part of resilient identity operations, which aligns well with behavioural baselining. The most common misapplication is treating the baseline as a one-time inventory snapshot, which occurs when teams confuse static permissions with actual runtime activity.
Examples and Use Cases
Implementing a runtime behaviour baseline rigorously often introduces tuning overhead, requiring organisations to weigh faster anomaly detection against the risk of alert fatigue during legitimate release cycles or batch jobs.
- A CI/CD service account normally deploys only to one cluster, but a new outbound call pattern appears in a different region. That deviation becomes a priority investigation because the identity is acting outside its established runtime profile.
- An API key used by an internal data pipeline begins calling administrative endpoints outside its usual window. Baseline monitoring flags the timing shift even though the credential is technically valid.
- A workload identity starts accessing object storage through an unexpected path after a configuration change. The baseline helps separate approved change from lateral movement or secret misuse.
- In organisations studying NHI exposure, the Ultimate Guide to NHIs is useful context for why behaviour monitoring complements rotation, visibility, and offboarding controls.
- For identity and access governance, the NIST Cybersecurity Framework 2.0 supports the operational need to detect and respond to anomalous activity instead of relying only on static entitlements.
Why It Matters in NHI Security
Runtime Behaviour Baseline matters because valid NHI credentials are frequently the attacker’s preferred path once they have been stolen, copied, or left over after a workload change. NHIMG research shows that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, which makes runtime visibility a practical defence, not a nice-to-have. The same research also reports that only 5.7% of organisations have full visibility into their service accounts, which helps explain why behaviour often goes unexamined until an incident is underway.
When a baseline is missing, security teams may see only successful authentication and miss the real warning sign: unusual access path, odd timing, or a service account doing something its operators never intended. Behavioural baselines also support Zero Trust by assuming that possession of a valid secret does not prove safe use. For broader NHI governance, the Ultimate Guide to NHIs reinforces why visibility, rotation, and least privilege must work together with runtime monitoring.
Organisations typically encounter the need for a runtime behaviour baseline only after a service account is abused in production, at which point the term becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-06 | Behavioural monitoring helps detect anomalous use of NHIs beyond static permissions. |
| NIST CSF 2.0 | DE.CM | Continuous monitoring and anomaly detection support runtime behaviour baselining. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires ongoing verification instead of trusting valid credentials by default. |
Monitor NHI activity continuously and investigate deviations from expected production behaviour.
