Subscribe to the Non-Human & AI Identity Journal

Service-to-service trust

The delegated trust relationship that lets one application call another using credentials, tokens, or scoped permissions. In modern cloud environments, this trust becomes a privilege boundary that attackers can abuse for lateral movement if it is not tightly governed.

Expanded Definition

Service-to-service trust is the delegation model that allows one workload, application, or microservice to authenticate to another and obtain an authorised response. In NHI security, it is not just connectivity. It is a decision about which identity is trusted, what it can present, and what actions are valid for that call path.

Definitions vary across vendors, but the core pattern is consistent: a calling service presents a credential, token, certificate, or signed assertion, and the receiving service evaluates both identity and scope before permitting access. That makes service-to-service trust an operational boundary inside distributed systems, not a static property of the network. It should be governed alongside NIST Cybersecurity Framework 2.0 controls for access management, monitoring, and recovery.

Within NHI Management Group guidance, this term sits close to workload identity, secret handling, and least privilege. It is most secure when trust is explicit, narrowly scoped, short-lived, and continuously verified, rather than inherited from a flat internal network assumption. The most common misapplication is treating any internal service as inherently trusted, which occurs when teams rely on network location instead of workload identity and authorization checks.

Examples and Use Cases

Implementing service-to-service trust rigorously often introduces more identity plumbing and policy maintenance, requiring organisations to weigh tighter blast-radius control against added operational complexity.

  • A payment microservice uses a short-lived token to call an invoicing service, with scope limited to one API action and one environment.
  • A Kubernetes workload authenticates with a workload identity rather than a shared API key, reducing secret reuse across pods and namespaces.
  • A build pipeline requests a scoped certificate from a trust broker before reaching artifact storage, preventing long-lived credentials from being embedded in CI/CD.
  • A customer data service accepts calls only from approved internal workloads, with policy tied to service identity instead of source IP alone.
  • A platform team reviews service-to-service dependencies using the Ultimate Guide to NHIs as a baseline for lifecycle, rotation, and offboarding expectations.

Standards-oriented implementations often align with service identity and trust-establishment patterns described by the NIST Cybersecurity Framework 2.0, but no single standard governs this yet across all cloud and platform stacks. In practice, teams combine mTLS, token exchange, policy enforcement, and centralized secrets governance rather than relying on one universal model.

Why It Matters in NHI Security

Service-to-service trust becomes dangerous when it is overbroad, undocumented, or left in place after an application changes. Once an attacker compromises one workload, that trust can become the path to lateral movement, data extraction, and privilege escalation across internal systems. NHIMG research shows that 97% of NHIs carry excessive privileges, and 80% of identity breaches involved compromised non-human identities such as service account and API keys, which makes trust boundaries a primary control point rather than a design detail.

This is why NHI governance must connect trust decisions to credential scope, rotation, visibility, and revocation. The Ultimate Guide to NHIs also notes that only 5.7% of organisations have full visibility into their service accounts, which means many service-to-service relationships cannot be accurately audited when incident response begins. In operational terms, the risk is not just the initial compromise but the hidden trust graph that persists afterward.

Organisations typically encounter the full impact only after a service account is abused in an incident, at which point service-to-service trust becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-01 Covers overprivileged and weakly governed non-human trust relationships.
NIST CSF 2.0 PR.AC-4 Identity-based access control applies directly to workload-to-workload authorization.
NIST Zero Trust (SP 800-207) SC-1 Zero Trust requires explicit verification between services, not implicit internal trust.

Inventory service identities, scope trust narrowly, and remove unnecessary inter-service permissions.