The set of permissions, credentials, and trust relationships that govern who or what can invoke, tune, deploy, or share models in Vertex AI. It extends beyond cloud administration because model actions can expose data, change behaviour, and move across projects or regions.
Expanded Definition
The Vertex AI identity surface is the practical boundary where cloud IAM, service accounts, tokens, and workload identities determine what can happen to Vertex AI assets. It includes model invocation, fine-tuning, deployment, evaluation, registry access, and sharing across projects or regions. In NHI governance, that matters because a model operation is not just an application action; it can expose data, alter behaviour, or widen access pathways. NIST’s NIST Cyber AI Profile (IR 8596) treats AI-related access and lifecycle controls as a distinct risk area, and the same logic applies here. Definitions vary across vendors when they describe “identity surface,” but in practice it always means mapping every identity that can touch the AI workflow, not only the console user. NHIMG guidance in the Ultimate Guide to NHIs emphasizes that excessive privilege and weak rotation are common failure points across machine identities. The most common misapplication is treating Vertex AI access as ordinary project admin access, which occurs when teams ignore model-level permissions, service account delegation, and cross-project sharing.
Examples and Use Cases
Implementing Vertex AI identity surface controls rigorously often introduces more access-design work, requiring organisations to weigh model agility against tighter approval and token handling.
- A data science team can train a model only through a dedicated service account, while production deployment is limited to a separate release identity with no notebook access.
- Cross-project model sharing is approved only when the receiving project has an explicit trust relationship and logged entitlement review.
- Vertex AI endpoint invocation is separated from artifact registry access so that runtime callers cannot also overwrite model versions.
- Temporary credentials are issued for automated tuning jobs, then revoked immediately after the pipeline finishes, reducing standing access.
- Identity review is paired with attack-path analysis from the 52 NHI Breaches Analysis and aligned with NIST guidance on AI system risk through the NIST Cyber AI Profile (IR 8596).
These patterns are especially relevant when teams need to distinguish developer access from operational access, or when a model pipeline spans multiple projects, regions, or shared services.
Why It Matters in NHI Security
Vertex AI often becomes a high-value NHI target because the identities involved can change models, move data, and trigger downstream automation. If a service account or workload token is overprivileged, an attacker may not just read data but alter model behaviour, deploy a poisoned version, or pivot into adjacent cloud resources. NHIMG research shows how quickly exposed machine credentials are acted on: in the Ultimate Guide to NHIs, 97% of NHIs carry excessive privileges, and 79% of organisations have experienced secrets leaks, with 77% of those incidents causing tangible damage. That is why Vertex AI identity design must include secret storage, short-lived access, revocation, and clear delegation boundaries. The Top 10 NHI Issues and the DeepSeek breach both underscore how quickly AI-adjacent exposure becomes a governance problem once credentials or trust chains are mishandled. Organisations typically encounter the consequences only after a model is unexpectedly modified, exfiltration is detected, or an internal token is reused from outside the intended pipeline, at which point the identity surface becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Covers identity sprawl and overprivileged non-human access around AI workloads. |
| NIST Zero Trust (SP 800-207) | AC-4 | Zero trust requires explicit policy enforcement for each access path to AI resources. |
| NIST AI RMF | AI risk management includes access, misuse, and lifecycle controls for model operations. |
Inventory all Vertex AI machine identities and reduce permissions to the minimum needed for each model action.
