A failure where a user or process can perform an action that should have been blocked by role or policy enforcement. In enterprise platforms, this often appears after authentication has succeeded, which makes the gap easy to miss until privileged data or actions are exposed.
Expanded Definition
A missing authorization check is a control failure where the system authenticates a user or process but does not verify whether that identity is allowed to perform the requested action. In NHI and IAM environments, the issue is not the login step itself but the absent or incomplete policy decision that should follow it.
This distinction matters because authorization is separate from authentication, and the gap often appears in API endpoints, service-to-service calls, admin consoles, and agent tool execution paths. Industry usage is still evolving around whether the term should include broken object-level authorization, broken function-level authorization, or broader policy enforcement failures. NHI Management Group treats it as the practical umbrella for any path where an identity is accepted and then allowed to overreach its intended scope. The NIST Cybersecurity Framework 2.0 reinforces that access decisions must be governed and monitored, not assumed after authentication.
The most common misapplication is assuming an authenticated service account or agent can safely invoke every available action, which occurs when developers reuse identity context without enforcing request-specific policy checks.
Examples and Use Cases
Implementing authorization checks rigorously often introduces latency, design complexity, and policy maintenance overhead, requiring organisations to weigh fine-grained control against development speed.
- A payment API verifies the caller’s token but fails to confirm ownership of the requested account, allowing an authenticated service to read another tenant’s records.
- An AI agent is permitted to call a ticketing tool, but the endpoint does not check whether the action requested is within the agent’s approved workflow scope.
- A CI/CD robot can deploy code, yet the platform omits a function-level check that should block it from changing production secrets.
- An internal admin portal accepts a valid session from an NHI, but the backend forgets to enforce role-based access control on the delete endpoint.
- During access review, teams discover that an API key can enumerate resources because the server trusted authentication alone and skipped object-level policy validation.
These failures are especially visible in sprawling NHI estates, where the Ultimate Guide to NHIs notes that 97% of NHIs carry excessive privileges, making any missing check more dangerous than it would be for a tightly constrained identity. OWASP guidance on access control and broken authorization patterns is the right external lens when teams need to test whether each endpoint enforces the intended rule set.
Why It Matters in NHI Security
Missing authorization checks are a direct path from a valid identity to unintended impact. In NHI environments, that can mean service accounts reading data across tenants, agents invoking actions outside approval boundaries, or automation quietly escalating privilege through a forgotten endpoint. The operational risk is amplified because NHI credentials are frequently embedded in code, pipelines, and orchestration layers, where the absence of a check may not be obvious during routine testing.
NHI Management Group reports that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, which shows how often attackers gain leverage after initial access has already been established. That is why practitioners should pair authorization testing with lifecycle controls, secret governance, and least privilege enforcement, using the Ultimate Guide to NHIs as a reference for broader NHI risk context. The NIST Cybersecurity Framework 2.0 is useful here because it treats access control as an operational discipline, not a one-time configuration.
Organisations typically encounter the consequence only after an account can delete, exfiltrate, or modify something it should never have touched, at which point the missing authorization check becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Authorization gaps let NHIs exceed intended scope after authentication. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions must be managed and enforced, not assumed after login. |
| NIST Zero Trust (SP 800-207) | SC-23 | Zero Trust requires per-request authorization, not trust from prior authentication. |
Verify each request contextually and deny actions lacking explicit policy approval.
Related resources from NHI Mgmt Group
- Who is accountable when authorization evidence is missing during an incident?
- What breaks when runtime authorization is missing for AI agents?
- What breaks when delegated context is missing from agent authorization?
- What should IAM teams check before trusting tokens and delegated authorization flows?
