Subscribe to the Non-Human & AI Identity Journal

What do teams get wrong about standardising security telemetry?

The most common mistake is assuming that a single canonical schema can replace analytic design. Standardisation helps teams share and move data, but it does not replace enrichment, entity resolution, or behavioural detection. If the schema becomes the ceiling, the platform becomes easier to integrate but harder to investigate.

Why This Matters for Security Teams

Standardising telemetry is often treated as a procurement or platform problem, but the real risk sits in how security teams interpret identity, events, and sequence. A common schema can make logs easier to transport, yet it can also hide the differences that matter for detection if teams assume normalisation equals understanding. That is especially dangerous in NHI-heavy environments, where service accounts, API keys, and automation paths create activity that looks consistent only on paper.

NHIMG research shows how large the underlying problem is: in the Ultimate Guide to NHIs — Standards, NHI Mgmt Group reports that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys. The lesson is not that teams need more fields in a schema, but that they need telemetry that preserves context, provenance, and identity relationships. The NIST Cybersecurity Framework 2.0 reinforces that visibility must support action, not just collection.

In practice, many security teams encounter blind spots only after an investigation has already been slowed by “standardised” data that removed the very details needed to explain what happened.

How It Works in Practice

Effective telemetry standardisation starts with agreeing on transport and core event semantics, then deliberately preserving the raw and derived context needed for analysis. That usually means defining a shared envelope for timestamps, source, actor, target, action, outcome, and environment, while keeping room for enrichment fields that link events to NHI, workload, or session identity. The goal is interoperability without flattening behavioural meaning.

Practitioners usually get better results when they separate three layers:

  • Collection: capture high-fidelity logs, traces, and identity events from source systems before normalisation strips detail.
  • Correlation: enrich with asset, workload, and identity metadata so service accounts, tokens, and agents can be resolved to a stable entity.
  • Detection: write analytics that use context, sequence, and thresholds instead of relying on the schema alone.

This matters because telemetry from NHI systems often needs to answer questions like which token was used, which workload issued it, and whether the action fits prior behaviour. The State of Non-Human Identity Security highlights the operational gap around monitoring and logging, while standards-oriented guidance from the NIST Cybersecurity Framework 2.0 supports building telemetry that is usable for detection and response, not merely compliance reporting.

Teams also need to preserve source-specific fields even when they map to a common schema, because losing vendor-native identifiers, cloud claims, or workload labels makes entity resolution weaker over time. These controls tend to break down in heterogeneous environments where cloud, SaaS, and CI/CD logs are forced into a single lowest-common-denominator model because critical context is discarded during ingestion.

Common Variations and Edge Cases

Tighter standardisation often reduces storage and integration friction, but it also increases the risk of oversimplifying varied telemetry sources, so organisations have to balance operational consistency against investigative depth. Current guidance suggests the best approach is not one universal schema for every use case, but a layered model that standardises what must be shared and preserves what analysts need to reason about behaviour.

There is no universal standard for this yet, especially across cloud control planes, endpoint data, identity logs, and NHI-specific events. A schema that works for SIEM forwarding may be too shallow for threat hunting, and a model built for one cloud provider may fail when multiple identity systems emit different signals about the same workload. That is why some teams maintain a common core while allowing domain extensions for secrets usage, token minting, automation runs, and agent actions.

The most practical exception is high-volume environments where teams are tempted to drop enrichment to control cost. That can be acceptable for low-value events, but not for identity-related telemetry, where missing correlation can turn an explainable sequence into an opaque alert. The Ultimate Guide to NHIs — Standards is useful here because it frames standardisation as a governance aid, not a substitute for lifecycle controls or investigation design.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 DE.CM-1 Telemetry must support continuous monitoring, not just data collection.
OWASP Non-Human Identity Top 10 NHI-06 NHI visibility depends on preserving identity context across telemetry sources.
NIST AI RMF AI RMF favours governance and traceability for complex automated behaviour.

Standardise logs enough to monitor assets and identity activity continuously, then keep enrichment for investigations.