Subscribe to the Non-Human & AI Identity Journal

Closed-By-Default Architecture

Closed-by-default architecture is a containment model where internal pathways, administrative protocols, and sensitive management planes are inaccessible unless explicitly opened for a specific need. It reduces attacker mobility by making reachability temporary, scoped, and easier to audit.

Expanded Definition

Closed-by-default architecture is a containment pattern for NHI and agentic environments in which internal routes, management endpoints, and sensitive control surfaces remain unreachable until a specific request, approval, or policy condition opens them. It is closely related to Zero Trust thinking, but it focuses more narrowly on reachability, reducing the time and scope in which a pathway exists. In practice, the design is most valuable for service-to-service access, administrative planes, and automation targets that should not remain permanently exposed. Guidance across vendors is still evolving, so this term is best treated as an operational pattern rather than a formal standard. It aligns well with least privilege and explicit authorization concepts described in NIST SP 800-53 Rev 5 Security and Privacy Controls. The most common misapplication is treating network segmentation alone as closed-by-default, which occurs when internal ports stay broadly reachable even though perimeter firewalls exist.

Examples and Use Cases

Implementing closed-by-default rigorously often introduces latency and operational friction, requiring organisations to weigh faster automation against tighter control of transient access.

  • Ephemeral admin access to a production cluster is opened only after change approval, then revoked automatically when the task completes.
  • Service accounts cannot reach a secrets store by default; access is granted only for a named workload and a defined time window.
  • An AI agent can call internal tools only after policy evaluation, rather than inheriting broad standing access across the environment.
  • Inbound routes to management APIs stay blocked until a workflow validates source identity, device posture, and business need.
  • Temporary exception handling is documented and audited, with a return to deny-by-default once the ticket closes.

This pattern is especially relevant where NHI sprawl and secret exposure are already present. NHI Mgmt Group notes that only 5.7% of organisations have full visibility into their service accounts, a sign that uncontrolled reachability often outpaces governance. The broader lifecycle risks covered in Ultimate Guide to NHIs show why temporary access is safer than persistent access, especially when paired with policy enforcement from NIST SP 800-53 Rev 5 Security and Privacy Controls.

Why It Matters in NHI Security

Closed-by-default architecture matters because NHI compromise usually escalates through unnecessary reach, not through the initial credential alone. When internal paths remain open, a leaked API key, compromised service account, or abused agent can move laterally, enumerate systems, and reach management functions that were never meant to be continuously available. That is why the control is not just about network hygiene, but about shrinking the blast radius of every non-human identity. NHI Mgmt Group reports that 97% of NHIs carry excessive privileges, which means temporary reachability is often the only practical way to prevent routine overexposure from turning into an incident. The same logic supports zero trust controls such as explicit verification and context-aware authorization in NIST SP 800-207 Zero Trust Architecture, while Ultimate Guide to NHIs frames the broader governance challenge around visibility, rotation, and offboarding. Organisations typically encounter the need for closed-by-default only after a secrets leak or lateral movement event, at which point temporary access controls become operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207), NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST Zero Trust (SP 800-207) SC-7 Zero Trust requires denying implicit network access and evaluating each request.
NIST CSF 2.0 PR.AA-01 Identity assurance and access control underpin explicit, conditional reachability.
OWASP Non-Human Identity Top 10 NHI-04 Closed-by-default reduces blast radius for over-privileged non-human identities.
NIST SP 800-63 IAL2 Assurance principles support stronger proof before granting privileged access.
OWASP Agentic AI Top 10 A2 Agentic systems need constrained tool access rather than always-on reachability.

Make internal routes and admin paths reachable only after policy checks and explicit authorization.