Subscribe to the Non-Human & AI Identity Journal

Next Best Action

Next best action is a decision recommendation generated from data and analytics that suggests the most relevant follow-up step for an adviser or system. It is not a decision in itself. The governance requirement is to keep recommendations explainable, reviewable, and separate from final client-facing authority.

Expanded Definition

Next best action is a recommendation layer that prioritises the most relevant follow-up step from available data, policy, and operational context. In NHI and Agentic AI governance, the distinction matters: a next best action can guide an adviser, workflow engine, or AI agent, but it should not itself be treated as final authority. That separation is consistent with control models that emphasise accountable decision-making, such as the NIST Cybersecurity Framework 2.0, where governance, decision rights, and control validation remain explicit responsibilities.

Definitions vary across vendors because the term is used in both customer-engagement analytics and automated operations. In NHI security, it often means a ranked recommendation for actions like rotating a secret, re-authenticating a workflow, escalating to human review, or denying a risky tool call. The key governance question is whether the recommendation is explainable, auditable, and bounded by policy before execution. NHIMG guidance on NHI lifecycle discipline in the Ultimate Guide to NHIs reinforces that decision support only becomes safe when identity visibility and remediation are controlled.

The most common misapplication is treating the recommendation as an automatic approval, which occurs when workflow automation bypasses human review or policy checks.

Examples and Use Cases

Implementing next best action rigorously often introduces latency and governance overhead, requiring organisations to weigh faster automation against stronger reviewability and safer outcomes.

  • A security platform recommends rotating an API key first because it is both stale and publicly exposed, while a human approver validates the change before execution.
  • An AI agent is given a ranked list of approved remediation steps, but it must request confirmation before revoking access or modifying production entitlements.
  • A service desk workflow uses next best action to suggest escalation when an NHI shows excessive privilege and unusual token use, reducing analyst guesswork.
  • A fraud or abuse detection system recommends the least disruptive containment step, such as session step-up or scoped credential quarantine, instead of immediate account disablement.
  • Operational playbooks reference the Ultimate Guide to NHIs alongside the NIST Cybersecurity Framework 2.0 to keep recommendations tied to governance and recovery duties.

In practice, the term is most useful when organisations need to standardise response logic across many identities, systems, or agents without collapsing judgement into automation. It also helps reduce inconsistency in high-volume environments where manual triage is slow or error-prone.

Why It Matters in NHI Security

Next best action becomes important because NHI security failures often move faster than human review. When secrets, service accounts, or AI agents are involved, a poorly framed recommendation can accelerate compromise rather than contain it. NHIMG research shows that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, and 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface. That makes recommendation quality a governance issue, not just an analytics issue. The Ultimate Guide to NHIs also highlights that only 20% have formal offboarding and key revocation processes, which means the right recommendation is often the difference between cleanup and persistence.

For practitioners, the core risk is false confidence: a system may recommend the right action while still hiding the reason, missing dependencies, or overstating certainty. The most resilient designs keep recommendations explainable, rank them by policy, and preserve human override where business impact is material. Organisations typically encounter the operational urgency of next best action only after a credential leak, privilege abuse, or agentic failure has already triggered an incident, at which point the term becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-02 Next best action must not hide secret exposure, privilege, or lifecycle weaknesses.
OWASP Agentic AI Top 10 Agentic systems need bounded recommendations, human override, and clear action authority.
NIST CSF 2.0 GV.OV-01 Governance and oversight principles apply to decision recommendations and their reviewability.

Define accountable review for next best action outputs and measure whether they are explainable and traceable.