Subscribe to the Non-Human & AI Identity Journal

Posture Evidence

Posture evidence is the verifiable signal used to determine whether a device or system meets a security condition such as encryption, antivirus coverage, or policy compliance. If that evidence is unavailable or incomplete, the organisation should treat the device as unverified rather than assuming the control is absent or present.

Expanded Definition

Posture evidence is the verifiable signal a security system uses to determine whether a device, workload, or endpoint satisfies a required condition such as encryption, malware protection, or configuration compliance. In practice, it is the difference between NIST Cybersecurity Framework 2.0-style assurance and assumption: the system needs proof, not just a declaration, before granting access or trust.

Definitions vary across vendors because posture evidence may come from local agents, MDM telemetry, EDR reports, attestation mechanisms, or cloud policy checks. In identity-aware security designs, it is often used as an input to conditional access, zero trust decisions, and device trust scoring. The evidence must be timely, attributable, and hard to spoof, or it loses operational value. This is especially important where Non-Human Identities and agentic tools interact with endpoints, because a compromised workstation can become a launch point for token theft, secret exfiltration, or privilege escalation.

The most common misapplication is treating missing telemetry as proof of non-compliance, which occurs when teams confuse lack of evidence with evidence of absence.

Examples and Use Cases

Implementing posture evidence rigorously often introduces coverage and latency tradeoffs, requiring organisations to weigh stronger access decisions against the cost of collecting, validating, and refreshing signals from every device and workload.

  • A laptop presents encrypted-disk status, OS patch level, and EDR health before it is allowed to access internal SaaS applications.
  • A managed endpoint fails to report a current security agent version, so the access policy treats it as unverified until evidence is refreshed.
  • A cloud workload submits configuration and runtime compliance evidence to prove it still matches approved baselines before it reaches sensitive APIs.
  • An engineering workstation implicated in Code Formatting Tools Credential Leaks is quarantined after stale posture evidence shows the required controls were never confirmed.
  • An extension-heavy developer environment is flagged after Hard-Coded Secrets in VSCode Extensions exposes that device trust alone was not sufficient without evidence of local control state.

In standards terms, posture evidence often aligns with device trust, configuration management, and continuous verification concepts found in NIST Cybersecurity Framework 2.0, but the exact implementation is still evolving across platforms.

Why It Matters for Security Teams

Security teams rely on posture evidence because access decisions are only as trustworthy as the signals behind them. When the evidence pipeline is weak, stale, or easy to falsify, attackers can bypass controls by using an unmanaged device, tampering with local agents, or exploiting blind spots in remote work and third-party access. For NHI governance, this matters because a compromised endpoint can expose secrets, API keys, and service-account credentials that fuel lateral movement and automated abuse.

NHI Management Group research shows that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, which makes endpoint posture a practical control point rather than a purely administrative signal. That risk becomes sharper when teams discover, too late, that a privileged machine held persistent access while its state had not been verified for days or weeks.

Posture evidence also supports investigations and containment by separating healthy assets from unknown ones during incidents. Organisations typically encounter the real cost only after a breach, outage, or policy exception is abused, at which point posture evidence becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207), NIST SP 800-53 Rev 5 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AC-1 Access control decisions depend on verified trust signals for devices and users.
NIST Zero Trust (SP 800-207) Zero Trust relies on continuous verification of device state before access is granted.
NIST SP 800-53 Rev 5 CM-8 System component inventory and configuration evidence underpin posture validation.
OWASP Non-Human Identity Top 10 NHI governance depends on trustworthy endpoint state before secrets or tokens are used.
NIST SP 800-63 IAL2 Identity assurance relies on reliable evidence about the subject or device being trusted.

Require evidence-based access decisions and deny trust when posture data is missing or stale.