Subscribe to the Non-Human & AI Identity Journal

What breaks when transaction controls only evaluate one session at a time?

Per-session controls can approve each request as valid while missing the combined effect across concurrent sessions. That creates a race condition where an attacker can keep every individual payment under threshold but still exceed policy at the account level. The fix is shared-state authorisation that correlates all live sessions before approval.

Why This Matters for Security Teams

Transaction controls that inspect only one session at a time can create a false sense of safety. Each payment, token grant, or API call may look compliant in isolation, while the combined effect across concurrent sessions breaches policy. That gap is especially dangerous in environments where attackers can distribute actions across workers, browser tabs, agents, or service accounts and stay under single-request thresholds until the account-level loss is already real.

For identity-heavy systems, this is not just a fraud problem. It is a shared-state authorisation problem that cuts across NHI governance, session design, and runtime policy enforcement. NHI Mgmt Group notes that 97% of NHIs carry excessive privileges and that only 5.7% of organisations have full visibility into their service accounts in its Ultimate Guide to NHIs — Standards, which helps explain why per-session approval often misses aggregate risk. Current guidance in the NIST Cybersecurity Framework 2.0 still points toward outcome-based risk management, but there is no universal standard yet for correlated session authorisation at transaction time.

In practice, many security teams encounter the abuse only after losses accumulate across multiple “valid” sessions, rather than through intentional policy violations caught in real time.

How It Works in Practice

The fix is to move from isolated session checks to shared-state authorisation. Instead of asking, “Is this one request under threshold?”, the control layer asks, “What is the current cumulative exposure for this account, identity, device, or workload across all active sessions?” That requires a centralised view of live state and a policy engine that can evaluate every request against the total in-flight activity, not just the request in front of it.

In practice, teams combine transaction telemetry, session correlation, and policy-as-code. A runtime decision might consider current spend, number of concurrent approvals, recent velocity, geographic anomalies, or whether an NHI, human user, or agent is driving the action. The policy should be evaluated at request time, not pre-baked into static rules that assume one channel per actor. This is consistent with the direction of NIST Cybersecurity Framework 2.0, which emphasises continuous risk visibility, and with NHI lifecycle controls discussed in Ultimate Guide to NHIs — Standards.

  • Correlate sessions to the same account, wallet, token, service principal, or agent identity.
  • Maintain shared counters for cumulative value, frequency, and outstanding approvals.
  • Recompute authorisation on each request using current state, not the state at login.
  • Use short-lived credentials and revoke or pause them when aggregate thresholds are crossed.
  • Log the full decision path so investigators can reconstruct how a threshold was exceeded.

Where this becomes operationally meaningful is in payment flows, API throttling, or machine-to-machine actions where many “small” approvals can combine into one material event. These controls tend to break down when session state is fragmented across regions or microservices because the policy engine cannot see the full live exposure quickly enough.

Common Variations and Edge Cases

Tighter shared-state controls often increase latency and coordination overhead, requiring organisations to balance stronger abuse prevention against transaction speed and system complexity. That tradeoff is real in high-volume environments, especially when multiple channels can touch the same account at once.

There is also no universal standard for how much aggregation is enough. Some teams enforce per-account limits, while others correlate across device, IP, NHI, or payment instrument. Current guidance suggests that the right boundary depends on where the attacker can split activity without changing the true risk. For example, if a single workflow can fan out across several service accounts or automation workers, the control must aggregate across those identities, not just one session. That is why shared-state logic matters as much for non-human actors as for customers, particularly when secrets, tokens, or delegated authority are reused across tools.

Edge cases include offline authorisation, eventual-consistency architectures, and legacy processors that cannot query current global state before approval. In those environments, compensating controls such as stricter limits, delayed settlement, or post-transaction reconciliation may be needed. The practical lesson is simple: if the environment cannot evaluate aggregate exposure before approval, the organisation should assume a per-session check will miss a coordinated threshold breach.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-01 Shared-state checks reduce abuse from overprivileged non-human identities.
NIST CSF 2.0 PR.AC-4 This is a runtime access decision problem across concurrent sessions.
NIST AI RMF Runtime correlation supports trustworthy, context-aware automated decisions.

Correlate live NHI activity before approving a transaction and deny when aggregate exposure exceeds policy.