Subscribe to the Non-Human & AI Identity Journal

Entity Graph

An entity graph is a structured model of identities, devices, applications, and relationships across a security environment. It lets teams resolve different identifiers to the same actor, preserving continuity across systems so investigations can follow activity without manual field matching.

Expanded Definition

An entity graph is more than an inventory of accounts. It is a relationship model that connects service accounts, APIs, workloads, devices, certificates, and human operators into a single security view. In NHI security, that continuity matters because the same actor may appear under different identifiers across cloud platforms, CI/CD systems, directory services, and observability tools.

Used well, an entity graph supports identity resolution, privilege analysis, and attack-path reasoning. It helps answer practical questions such as which API key belongs to which workload, which certificate authenticates a microservice, and which human owner can revoke access when the workload changes. This aligns with the visibility and governance goals discussed in Ultimate Guide to NHIs and with the broader asset and identity visibility expectations in NIST Cybersecurity Framework 2.0.

Definitions vary across vendors on how much context must be stored, but the core idea is stable: an entity graph links identifiers to relationships and ownership so security teams can reason about the actor, not just the artifact. The most common misapplication is treating a graph as a static asset list, which occurs when teams model objects without preserving relationship and ownership context.

Examples and Use Cases

Implementing an entity graph rigorously often introduces data-quality and normalization overhead, requiring organisations to weigh investigative speed against ingestion and maintenance cost.

  • During incident response, analysts use the graph to trace a leaked token back to the workload, deployment pipeline, and owner who can rotate it.
  • In cloud IAM reviews, teams compare service-account relationships across accounts and subscriptions to detect duplicated or orphaned NHIs.
  • In CI/CD environments, the graph links build jobs, signing keys, and deployment identities so changes to one control point do not break downstream trust.
  • For third-party access, the graph maps external integrations to the internal API keys and certificates they depend on, reducing blind spots in supply-chain exposure.
  • In detection engineering, analysts correlate one actor across logs even when the same workload appears under different names, IPs, or certificates.

For implementation guidance, security teams often combine graph construction with identity lifecycle controls described in Ultimate Guide to NHIs and reference the identity and access governance concepts in the NIST Cybersecurity Framework 2.0 when deciding which attributes matter operationally.

Why It Matters in NHI Security

Entity graphs matter because NHI risk rarely stays inside one system. A service account may be created in one pipeline, granted access in another, and exposed in a log store somewhere else. Without relationship mapping, organisations miss privilege accumulation, fail to identify stale ownership, and struggle to prove which identities are still active. That is why NHI Management Group reports that only 5.7% of organisations have full visibility into their service accounts, a gap that directly limits graph accuracy and response speed.

An accurate graph also supports Zero Trust decisions by showing which relationships should exist and which ones are anomalous. It is especially valuable for spotting credential sprawl, cross-environment trust, and hidden dependency chains that can turn a single compromised secret into broad access. The same visibility problems highlighted in Ultimate Guide to NHIs often persist until a breach exposes them.

Organisations typically encounter entity graph urgency only after an incident report reveals they could not determine what a compromised NHI touched, at which point relationship mapping becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-01 Entity graphs support visibility and lifecycle control for non-human identities.
NIST CSF 2.0 ID.AM Asset management depends on knowing identity relationships, not just isolated records.
NIST Zero Trust (SP 800-207) PA Zero Trust policy decisions rely on context about subjects, devices, and relationships.

Feed graph-derived context into policy decisions to verify each access request continuously.