Subscribe to the Non-Human & AI Identity Journal

Right-sized model

A model selected for the complexity and latency profile of a specific task rather than for general capability. In security pipelines, right-sizing means using larger models for deep reasoning and smaller models for extraction or classification where speed and cost matter more.

Expanded Definition

Right-sized model refers to choosing the smallest model that can reliably complete a security task at the needed quality, latency, and cost profile. In NHI and agentic AI workflows, that usually means separating lightweight extraction or classification from deeper reasoning, summarisation, or policy interpretation. The concept is still evolving across vendors, so there is no single standard that governs model sizing choices; practitioners should treat it as an operating discipline rather than a fixed benchmark.

Right-sizing is different from simply preferring a cheaper model. It requires matching model capability to the task boundary, the sensitivity of the data, and the failure impact if the model is wrong. A small model may be adequate for tagging secrets in logs, while a larger model may be necessary to interpret ambiguous privilege escalation paths or correlate identity events across tools. The governance question is whether the model is fit for purpose, not whether it is impressive on generic tests. The most common misapplication is using a general-purpose large model for routine security classification, which occurs when teams optimise for novelty instead of task-specific risk and response time.

For broader NHI governance context, see the Ultimate Guide to NHIs and the NIST Cybersecurity Framework 2.0.

Examples and Use Cases

Implementing right-sized models rigorously often introduces a routing and validation overhead, requiring organisations to weigh faster execution and lower cost against the complexity of model selection and fallback logic.

  • A small model classifies CI/CD alerts for exposed secrets, while a larger model is reserved for uncertain cases that need contextual reasoning.
  • An agent uses a compact model to extract identity attributes from logs, then escalates to a stronger model when correlating service account activity across multiple systems.
  • Security teams use a lighter model for summarising routine NHI inventory changes, but a deeper model for analysing anomalous privilege changes or suspected token theft.
  • Policy assistants use a smaller model to draft access review notes, then a more capable model to interpret exceptions that involve multiple trust boundaries.

These patterns align with the operational themes in the Ultimate Guide to NHIs, especially where lifecycle visibility and secret hygiene affect downstream decisions. For implementation framing, the NIST Cybersecurity Framework 2.0 reinforces that controls should be selected for risk and function, not for size alone.

Why It Matters in NHI Security

Right-sizing matters because NHI security tasks are uneven. Some are deterministic and high-volume, such as scanning for hardcoded secrets, while others are nuanced, such as reasoning over privilege chains, access exceptions, or agent tool use. If teams use oversized models everywhere, they increase latency, spend, and exposure of sensitive identity data to unnecessary processing. If they use undersized models everywhere, they risk shallow analysis, missed context, and brittle automation.

This matters in the real world because compromised or poorly governed NHIs can amplify small mistakes into broad blast-radius events. NHIMG reports that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, and 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools. Right-sized model design helps ensure that automated triage is fast enough to keep pace with those volumes without pushing every decision into an expensive reasoning path. The same operational discipline also supports safer agentic workflows, where model choice should match tool authority and the sensitivity of the decision. Organisations typically encounter the cost of poor model sizing only after alerts pile up, response times slip, or an automated workflow makes a high-impact mistake, at which point right-sized model selection becomes operationally unavoidable to address.

That governance pressure is also reflected in the Ultimate Guide to NHIs, which shows how visibility gaps and secret sprawl compound security failures.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Agentic AI Top 10 Agentic guidance emphasizes matching model capability to task risk and tool authority.
NIST AI RMF AI RMF addresses fit-for-purpose model selection, performance, and risk-based deployment.
NIST CSF 2.0 GV.RM-01 Risk management governance supports selecting models based on operational risk and impact.

Choose the smallest model that meets task quality, then reserve stronger reasoning for higher-risk actions.