Subscribe to the Non-Human & AI Identity Journal

Custom Field

A custom field is an additional structured value stored alongside a login or record, such as a loyalty number, member ID, or locker code. In identity workflows, custom fields expand the secret model beyond usernames and passwords, so they need the same encryption, ownership, and lifecycle discipline as primary credentials.

Expanded Definition

A custom field is a structured attribute added to an identity, account, token, or record to carry organisation-specific data such as a member ID, badge code, or environment label. In NHI and IAM workflows, it becomes part of the security object model, not a cosmetic note, because automated access decisions, routing, and audit logic may read it. That is why custom fields must be governed with the same discipline as other sensitive identity attributes, including ownership, validation, retention, and encryption where appropriate.

Definitions vary across vendors, especially when custom fields overlap with claims, metadata, tags, or directory attributes. The practical distinction is that a custom field is intentionally user-defined and operationally meaningful, while a primary identity attribute is typically fixed by the system or schema. For governance purposes, the issue is not whether the field is called a claim or attribute, but whether it can influence privilege, workflow, or correlation in a way that affects NHI exposure. The NIST Cybersecurity Framework 2.0 provides the broader governance lens for managing such data within identity processes.

The most common misapplication is treating custom fields as harmless context, which occurs when teams store sensitive values in them without access controls, lifecycle rules, or review.

Examples and Use Cases

Implementing custom fields rigorously often introduces schema and governance overhead, requiring organisations to weigh faster automation against tighter validation, ownership, and review requirements.

  • A service account carries an environment field such as prod or dev, and orchestration tools use it to determine which secrets, endpoints, and approvals the account may reach.
  • A partner integration stores a tenant identifier in a custom field so downstream systems can map requests to the correct customer boundary without embedding the value in code.
  • A physical access workflow records a locker code or badge zone in a custom field, which then becomes part of the audit trail and revocation process.
  • An application uses a member ID custom field to correlate support records and identity events across systems, reducing manual joins during incident response.
  • An NHI program tags a workload with business unit ownership so access reviews and offboarding actions can be assigned to the right accountable team.

Because these fields can steer decisions, they should be treated as governed identity data rather than convenience labels. The NHI Management Group’s Ultimate Guide to NHIs is a useful reference for how identity data expands attack surface when it is not managed as part of the full lifecycle. For implementation patterns, teams often align the field’s purpose with the control intent described in the NIST Cybersecurity Framework 2.0.

Why It Matters in NHI Security

Custom fields matter because NHI incidents often begin with metadata that was never treated as sensitive. When a field controls routing, entitlement selection, or environment targeting, an attacker who can alter it may shift an identity into a more privileged path without touching the primary credential. Even when it does not directly grant access, a custom field can leak business context, tenancy structure, or operational dependencies that help an attacker plan lateral movement. This is especially relevant where secrets, tokens, and service-account records are spread across platforms, because the field becomes part of the hidden logic that governs how those identities behave.

NHI Mgmt Group notes that 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, which shows how often adjacent identity data is handled casually rather than as governed security material. The same pattern appears with custom fields when teams fail to define ownership or retention. The Ultimate Guide to NHIs highlights why lifecycle control and visibility are essential, especially when identity objects outnumber people and are embedded across automation. Organisations typically encounter the consequences only after a breach, misroute, or failed offboarding event, at which point the custom field becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-01 Custom fields can influence NHI metadata and trust decisions if left uncontrolled.
NIST CSF 2.0 PR.AC-4 Least-privilege access must extend to identity attributes that affect authorization paths.
NIST Zero Trust (SP 800-207) Zero Trust treats identity attributes as inputs to dynamic policy decisions.
NIST AI RMF Risk management must cover structured data that can shape automated decisions.

Validate custom-field-driven context continuously before allowing policy decisions to stand.