An approach that replaces long-lived shared secrets with runtime identity and short-lived credentials. For CI/CD, it means systems authenticate through attested identity instead of copied values that can leak, linger, or be reused outside their intended purpose.
Expanded Definition
Identity-first infrastructure is the design pattern in which workloads, pipelines, and agents prove who they are at runtime before they are allowed to act. In practice, this means replacing copied secrets with attested identity, ephemeral credentials, and policy decisions that are evaluated at request time rather than at deploy time.
For NHI and CI/CD environments, the distinction matters because a credential that exists only briefly is harder to steal, reuse, or accidentally publish. This approach aligns closely with NIST Cybersecurity Framework 2.0 principles for access control and continuous risk management, even though no single standard governs the term itself yet. In industry usage, definitions vary across vendors: some focus on workload identity, others on secretless pipelines, and others on identity federation for agents. NHI Management Group treats identity-first infrastructure as a control model, not a product category.
The most common misapplication is calling any vault-backed secret rotation “identity-first,” which occurs when long-lived credentials still exist and are merely hidden better.
Examples and Use Cases
Implementing identity-first infrastructure rigorously often introduces operational overhead around trust bootstrapping and policy enforcement, requiring organisations to weigh lower secret exposure against more complex runtime verification.
- A CI pipeline mints a short-lived token from workload identity instead of loading a shared deployment key from a config file.
- An AI coding agent authenticates to internal tools through federated identity and scoped entitlements, rather than inheriting a human engineer’s reusable API key.
- A Kubernetes workload proves its identity with attestation before it receives access to a database, reducing the need for static service-account passwords.
- An org replaces hard-coded cloud access keys with just-in-time credentials, then verifies each request against policy and environment context.
- The pattern is reflected in NHI guidance that shows why secrets hidden in code and CI/CD tools still create exposure, as described in the Ultimate Guide to NHIs, and in breach analysis such as 52 NHI Breaches Analysis.
- For implementation detail, teams often combine this model with SPIFFE identities or other workload identity systems that issue verifiable, short-lived credentials.
Why It Matters in NHI Security
Identity-first infrastructure matters because most NHI failures begin with credential persistence, over-broad access, or unmanaged sprawl. NHI Management Group reports that 96% of organisations store secrets outside secrets managers in vulnerable locations, and 80% of identity breaches involve compromised non-human identities such as service accounts and API keys. That combination turns every copied value into a latent access path that can survive deployments, employee turnover, or pipeline compromise.
In security governance terms, the model reduces the blast radius of automation. It supports least privilege, tighter offboarding, and better separation between the actor and the action. The operational question is not whether a secret can be stored safely, but whether the system should rely on a secret at all when a runtime identity can be proven instead. This is especially relevant as agentic AI begins to request infrastructure changes and API access at machine speed, which is why NHI Management Group and CISA Zero Trust Maturity Model guidance both point toward continuous verification. Organisations typically encounter the need for identity-first controls only after a token leak, privileged misuse, or pipeline breach has already made secret-based trust operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Identity-first design reduces secret sprawl and long-lived credential exposure. |
| NIST CSF 2.0 | PR.AC | Access control and continuous verification are core to identity-first infrastructure. |
| NIST Zero Trust (SP 800-207) | 3.1 | Zero trust requires explicit verification before granting access to any resource. |
Replace shared secrets with ephemeral workload identity and verify every machine actor at runtime.
Related resources from NHI Mgmt Group
- What is the difference between network controls and identity controls for infrastructure access?
- Why do AI agents change infrastructure identity governance?
- How should security teams reduce standing privilege in identity-first environments?
- Should organisations prioritise IGA or identity security first?
