Subscribe to the Non-Human & AI Identity Journal

Affirmative Defence

An affirmative defence is a legal argument that can reduce or negate liability after a breach when an organisation can show it used recognised cybersecurity measures. In practice, the defence depends on documented, operational controls, not just policy statements or technology purchase history.

Expanded Definition

An affirmative defence is not a claim that no breach occurred; it is a post-incident legal position that can reduce or negate liability when an organisation can demonstrate it followed recognised cybersecurity practices. In cyber and identity disputes, that usually means showing controls were real, operating, and evidenced over time, not merely described in policy language.

For NHI and agentic environments, the concept becomes practical because service accounts, API keys, tokens, and certificates create measurable control points that can be reviewed against frameworks such as the NIST Cybersecurity Framework 2.0. Definitions vary across jurisdictions and statutes, so there is no single standard governs this yet; legal teams typically assess whether governance, logging, access review, rotation, and revocation processes were consistently enforced. The defence is stronger when evidence shows controls were tested, monitored, and updated rather than inherited from a one-time assessment.

The most common misapplication is treating an affirmative defence as a compliance checkbox, which occurs when organisations rely on policy documents or tool procurement instead of proving control operation.

Examples and Use Cases

Implementing an affirmative defence rigorously often introduces evidentiary overhead, requiring organisations to weigh legal resilience against the cost of continuous documentation, validation, and control testing.

  • A company can show service account ownership, access reviews, and token rotation logs that align with documented cybersecurity practice after an API key compromise.
  • A cloud team retains evidence that secrets were stored in approved vaults, monitored for exposure, and revoked quickly after detection, supporting a stronger post-breach legal position.
  • An organisation references the Ultimate Guide to NHIs to demonstrate lifecycle controls for non-human identities, including offboarding and rotation discipline.
  • A security program maps NHI governance to the NIST Cybersecurity Framework 2.0 to prove that safeguards were not only designed but also operated.
  • Legal and security teams preserve audit trails from CI/CD, vaults, and identity systems so they can reconstruct what control existed before and during the incident.

Because NHI exposures often involve machine credentials rather than human logins, the quality of evidence matters as much as the control itself. NHIMG research shows 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, which is why demonstrable lifecycle control is so often central to this defence. The same research also reports that only 5.7% of organisations have full visibility into their service accounts, making evidentiary gaps a common failure point.

Why It Matters for Security Teams

Security teams should treat affirmative defence as a design constraint, not just a legal afterthought, because weak evidence can turn otherwise good controls into an unpersuasive story after an incident. In NHI-heavy environments, the issue is especially sharp: if secrets are stored outside approved managers, or if rotation and revocation are inconsistent, a post-breach review can quickly reveal that the organisation cannot prove disciplined control operation.

This is where identity governance and legal preparedness meet. NHIMG research reports that 79% of organisations have experienced secrets leaks, with 77% of those incidents resulting in tangible damage, and that 96% store secrets outside secrets managers in vulnerable locations such as code, config files, and CI/CD tools. Those conditions make it difficult to show recognised safeguards were in place when a breach occurred.

Organisations typically encounter the consequence only after regulators, plaintiffs, or insurers ask for evidence of actual control execution, at which point affirmative defence becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 GV.OV Cyber governance and oversight frame whether safeguards were actually operating.
OWASP Non-Human Identity Top 10 NHI-02 Secret management failures directly undermine proof of effective NHI protection.
NIST SP 800-63 IAL Digital identity assurance concepts inform how strongly identities are validated and governed.

Store, rotate, and revoke secrets with auditable controls that can be evidenced after an incident.