Subscribe to the Non-Human & AI Identity Journal

Evidence graph

An evidence graph is a correlated record of events that keeps relationships between identity, runtime, posture, and endpoint data intact. It helps analysts reconstruct what happened in sequence rather than manually stitching together separate alerts after the fact.

Expanded Definition

An evidence graph is a correlated security record that preserves relationships across identity, runtime, posture, and endpoint signals so analysts can reconstruct sequence, causality, and scope. In NHI operations, it is more than a log index: it links service accounts, API keys, workload identities, and their observed actions into an investigation-ready model. That distinction matters because NIST Cybersecurity Framework 2.0 emphasizes coordinated detection and response, but an evidence graph operationalises that idea for machine identities and agentic workloads. No single standard governs this yet, and vendor implementations vary in how they resolve entities, retain edges, and preserve time order.

The strongest evidence graphs keep provenance intact across multiple data sources, which helps expose whether an API key, workload token, or agent action was the initiating event or merely a downstream effect. They are especially useful when telemetry is fragmented across cloud, CI/CD, endpoint, and identity systems. The most common misapplication is treating a search index or alert timeline as an evidence graph, which occurs when relationships are not preserved and analysts still have to manually stitch events together.

Examples and Use Cases

Implementing an evidence graph rigorously often introduces schema and ingestion overhead, requiring organisations to weigh faster investigations against the cost of normalisation and retention.

  • A compromised service account is linked to a CI/CD token, a container start event, and a secrets access record, allowing investigators to trace the full blast radius.
  • An anomalous agent action is correlated with its delegated permissions, runtime context, and endpoint evidence to show whether the agent acted within scope or under abuse.
  • A leaked API key is tied to first-seen use, geolocation, and downstream privilege escalation, which helps determine whether the exposure was dormant or actively exploited.
  • In cases like the JetBrains GitHub plugin token exposure, a graph can correlate source-control events, token issuance, and subsequent access attempts without relying on separate alert triage.
  • Teams often use the graph alongside identity guidance from NIST Cybersecurity Framework 2.0 to support faster detection, containment, and post-incident reconstruction.

Why It Matters in NHI Security

NHI incidents often fail to look like a single breach at the point of detection. They appear as scattered anomalies: a secret in code, a service account used from an unexpected workload, or an agent invoking a privileged tool chain. An evidence graph turns those fragments into a defensible narrative, which is essential when determining what identity was abused, what data was touched, and what access must now be revoked. That matters because NHI environments are large and fragile: NHI Mgmt Group reports that only 5.7% of organisations have full visibility into their service accounts, and poor visibility makes correlation after the fact much harder. In practice, the graph becomes the proof layer that supports containment decisions, forensics, and governance reviews, especially when paired with broader NHI controls described in the Ultimate Guide to Non-Human Identities.

It also helps security teams validate whether a runtime event is an isolated alert or part of a wider identity compromise. The most important lesson is that correlation only becomes urgent after access has already been misused, at which point the evidence graph becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 DE.CM-01 Evidence graphs improve continuous monitoring by correlating multi-source telemetry into one investigation view.
OWASP Non-Human Identity Top 10 NHI-06 Evidence graphs support incident investigation by preserving relationships across NHI events and assets.
NIST Zero Trust (SP 800-207) PA-3 Zero Trust relies on continuous verification informed by correlated identity and context signals.

Use correlated evidence to validate access context continuously and tighten trust decisions during incidents.