Subscribe to the Non-Human & AI Identity Journal

Control Graph

A control graph is the relationship map between assets, identities, vendors, policies, and controls. It helps teams understand which systems generate evidence, which owners are accountable, and where drift in one area affects assurance in another.

Expanded Definition

A control graph is a governance map that shows how assets, identities, vendors, policies, and controls relate to one another, so security teams can see where evidence is produced, who owns each decision, and where assurance may break down. In practice, it sits between documentation and operational control: it is more dynamic than a policy register and more security-specific than a generic architecture diagram.

Definitions vary across vendors because some teams use the term for a compliance dependency map, while others use it for a runtime view of control coverage. For NHI and agentic AI environments, that distinction matters because the same control may be enforced by a policy, evidenced by a log source, and owned by a different team altogether. The most useful control graphs tie those layers together rather than treating them separately. NIST Cybersecurity Framework 2.0 is a useful reference point for organising outcomes, especially when mapping governance, protection, and detection responsibilities across a changing environment. For identity-heavy programmes, the graph should also show where credentials, tokens, and service accounts influence downstream risk. The most common misapplication is treating a static spreadsheet as a control graph, which occurs when teams fail to update ownership and evidence links after system changes.

Examples and Use Cases

Implementing a control graph rigorously often introduces maintenance overhead, requiring organisations to weigh faster assurance and clearer accountability against the cost of keeping relationships current as systems change.

  • An NHI programme maps each service account to its owning application, rotation policy, and log source so auditors can trace whether Ultimate Guide to NHIs — Standards expectations are actually enforced.
  • A cloud security team links CSPM findings to the affected asset owner, the compensating control, and the ticketing workflow, so a misconfiguration is not treated as an isolated alert.
  • An AI operations team connects an agent’s tool permissions, approval policy, prompt logging, and fallback controls to understand whether a single failure can cascade across multiple systems.
  • A third-party review maps vendor access to the systems they can reach, the evidence required for each control, and the contract clause that supports remediation when drift is found.
  • A security architecture review uses the graph to show which controls are preventive, detective, or compensating, then verifies whether the evidence source is reliable enough for continuous assurance.

The same idea is reflected in NIST Cybersecurity Framework 2.0, where outcomes are easier to operationalise when ownership and evidence pathways are explicit rather than implied.

Why It Matters for Security Teams

A control graph matters because it turns fragmented control ownership into a traceable system of accountability. Without it, teams often discover that the asset team, the identity team, and the vendor manager all believe someone else is responsible for the same control. That gap is especially dangerous in NHI-heavy environments, where service accounts, API keys, and automation credentials can outnumber human identities by 25x to 50x in modern enterprises, according to NHI Mgmt Group. A control graph helps make those dependencies visible before an audit, incident, or privilege drift event exposes them.

This is also where governance and detection converge. If the graph shows that evidence for a rotation control comes from a log source that is no longer reliable, the control may still exist on paper while assurance has already failed. Security teams need the graph to spot those breaks early, especially when NIST Cybersecurity Framework 2.0-style outcomes are being used to report coverage across multiple domains. Organisations typically encounter the cost of a weak control graph only after an access review, incident, or audit finding reveals that control ownership and evidence were never truly connected.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the technical controls, and ISO/IEC 27001:2022 define the regulatory obligations.

Framework Control / Reference Relevance
NIST CSF 2.0 GV.OC, ID.AM, PR.AC CSF frames outcomes for governance, asset visibility, and access control mapping.
NIST SP 800-53 Rev 5 CA-7, CM-8, AC-6 Defines monitoring, inventory, and least-privilege controls often linked in a control graph.
ISO/IEC 27001:2022 A.5.1, A.5.9, A.8.15 ISMS requirements rely on accountable policies, inventories, and logging relationships.
OWASP Non-Human Identity Top 10 NHI governance depends on mapping identities, secrets, and controls across ownership boundaries.
NIST Zero Trust (SP 800-207) SC.FT, PE, IA Zero Trust requires explicit trust relationships and continuous verification across systems.

Tie control evidence to inventories and monitoring so drift is detected and access stays least-privileged.