The point at which a message, request, or interaction still looks normal to users but no longer matches established identity behaviour. In practice, this is where phishing becomes dangerous because the attacker borrows familiarity while changing the underlying intent or action path.
Expanded Definition
Identity-context drift describes the moment when a request still appears consistent to a person or system user, but the underlying identity signals no longer match established behaviour, trust boundaries, or expected intent. In NHI and agentic AI environments, that mismatch can arise when an authenticated session, token, service account, or agent action is reused outside its normal pattern, even though the interface still looks familiar.
The term sits between phishing, session abuse, and behavioural anomaly, but it is not identical to any one of them. Phishing may create the initial lure, while identity-context drift captures the operational break where trust has been borrowed without preserving context. Industry usage is still evolving, so definitions vary across vendors and security teams. NIST’s NIST Cybersecurity Framework 2.0 is useful here because it treats identity assurance, access governance, and anomaly handling as connected control problems rather than isolated events.
The most common misapplication is treating any successful login as legitimate context, which occurs when teams rely on authentication status instead of checking whether the identity’s behavior still fits the expected action path.
Examples and Use Cases
Implementing identity-context drift detection rigorously often introduces more monitoring overhead and user friction, requiring organisations to weigh stronger assurance against alert volume and workflow disruption.
- A service account authenticates normally, but begins calling administrative APIs from a new pipeline stage. The credential is valid, yet the action path no longer matches the approved identity context.
- An OAuth token is reused in a way that mirrors normal collaboration traffic, but the token now drives unexpected data export behaviour. The pattern is familiar, but the intent has shifted. See the Salesloft OAuth token breach for a real-world example of this pattern.
- An AI agent receives tool access that is appropriate in one workflow, then continues operating after the surrounding business context has changed. The agent still “looks” authorised while acting on stale assumptions.
- A developer session stays active after a branch, repo, or deployment target changes. The account identity is unchanged, but the surrounding identity context has drifted away from the original approval.
For broader NHI risk patterns, the 52 NHI Breaches Analysis shows how identity misuse often hides inside routine-looking activity. In implementation terms, the IETF’s OAuth 2.0 authorization framework matters because bearer tokens are powerful precisely when context checks are weak.
Why It Matters in NHI Security
Identity-context drift is dangerous because NHIs and agents are often trusted for speed, automation, and machine-to-machine continuity. If defenders focus only on whether a token is valid, they miss whether the token is being used in the right sequence, by the right workload, for the right purpose. That gap is exactly where attackers hide inside normal-looking telemetry.
This becomes especially important in environments with large NHI populations. NHI Mgmt Group reports that NHIs outnumber human identities by 25x to 50x in modern enterprises, which means a small amount of drift can produce a large blast radius when privilege, reuse, or delegation is already loose. The Ultimate Guide to NHIs also shows that 97% of NHIs carry excessive privileges, making context-sensitive monitoring more important than static authentication checks alone. This is why the Top 10 NHI Issues treats visibility and privilege control as core governance problems, not optional hygiene.
Organisations typically encounter identity-context drift only after a breach, fraud event, or lateral movement incident, at which point the concept becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers insecure NHI usage patterns where valid identities act outside expected context. |
| NIST CSF 2.0 | PR.AA-01 | Addresses identity proofing and access governance tied to trustworthy access decisions. |
| NIST Zero Trust (SP 800-207) | Zero Trust assumes no implicit trust after authentication and requires continuous verification. |
Tie access decisions to current identity context and revoke when behavior no longer matches.
