The practice of carrying state, memory, and relevant instructions between agents during a workflow. It keeps tasks coherent, but it also creates a persistence layer for sensitive information, so teams must decide what context can move, what must expire, and what should never be shared.
Expanded Definition
Context management is the discipline of deciding how an agent, AI workflow, or automation chain preserves and shares state across steps without turning every prior instruction into durable memory. In NHI and agentic AI operations, that means separating operational context, such as task progress, tool outputs, and approved constraints, from secrets, personal data, or instructions that should expire once a step is complete. The distinction matters because context often moves faster than the controls around it, especially when multiple agents or MCP-based workflows are involved.
Definitions vary across vendors, but the security principle is consistent: context should be scoped, time-bound, and releasable only to the next component that genuinely needs it. This aligns with least privilege and data minimisation concepts reflected in the NIST Cybersecurity Framework 2.0, even though NIST does not define a single universal “context management” control. The most common misapplication is treating conversation history as reusable authority, which occurs when downstream agents inherit prior prompts, tokens, or approvals without explicit revalidation.
Examples and Use Cases
Implementing context management rigorously often introduces latency and design overhead, requiring organisations to weigh workflow continuity against tighter filtering, retention, and redaction controls.
- A support agent hands a case summary to a billing agent, but strips out API keys, customer secrets, and one-time approvals before transfer.
- An orchestration layer passes only task-relevant memory to the next agent, while discarding expired instructions after completion, following lifecycle guidance in the NHI Lifecycle Management Guide.
- A retrieval workflow keeps policy context available for the duration of a ticket, but blocks the reuse of sensitive prompts in later sessions, reducing accidental persistence.
- A privileged automation chain carries an access decision forward only as a bounded assertion, not as standing authority, consistent with the NIST Cybersecurity Framework 2.0.
- An incident response agent receives only the indicators and timestamps needed to triage a breach, while the original secret values remain isolated and unshared.
For broader NHI governance context, NHIMG’s Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs shows how state transitions, rotation, and offboarding depend on knowing exactly what should persist and what should not.
Why It Matters in NHI Security
Context management becomes a security control because agent workflows frequently handle secrets, delegated permissions, and sensitive instructions that are easy to forward and hard to recall. When context is over-shared, stale, or stored indefinitely, the workflow can silently turn into a persistence layer for compromised credentials, policy bypass, or unauthorised reuse of authority. That is especially dangerous in environments where NHIs already carry excessive privilege; NHIMG reports that 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, as noted in the Ultimate Guide to NHIs.
Governance teams should treat context as an asset with classification, retention, and revocation rules, not as harmless workflow residue. This matters for auditability too, because the question is rarely whether a task succeeded, but whether the right data and permissions were still valid when the next agent used them. The same discipline supports the lifecycle and audit expectations described in NHIMG’s Ultimate Guide to NHIs — Regulatory and Audit Perspectives.
Organisations typically encounter the impact only after an agent forwards a leaked token, replays an obsolete instruction, or exposes protected context during an incident, at which point context management becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Context sprawl can expose credentials, instructions, and delegated authority across agent workflows. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access maps to controlling what context can be shared and reused. |
| OWASP Agentic AI Top 10 | A1 | Agentic workflows are vulnerable when memory and tool context are reused without boundaries. |
Classify, limit, and expire context so agents never inherit secrets or authority by default.
