Entity resolution is the process of determining which accounts, wallets, devices, or records belong to the same real-world actor. It is essential for sanctions and AML programmes because transaction data alone often hides related activity unless it is linked back to a trusted identity model.
Expanded Definition
Entity resolution is the discipline of deciding whether multiple records, accounts, wallets, devices, or identifiers point to the same real-world actor. In sanctions, AML, fraud, and identity governance, it turns fragmented data into a usable trust graph, especially when one person or organisation uses many digital identifiers across systems.
In practice, entity resolution combines deterministic signals such as exact identifiers with probabilistic signals such as shared addresses, behavioural patterns, device fingerprints, and relationship data. Definitions vary across vendors because some teams treat it as a data-quality function, while others place it inside risk scoring, investigation, or identity graph engineering. For security teams, the important distinction is that entity resolution is not simple deduplication. Deduplication removes duplicates inside one dataset; entity resolution decides whether separate records across multiple systems represent the same actor, even when names, identifiers, or transaction paths differ.
That distinction is why NIST Cybersecurity Framework 2.0 is useful as a governance reference for information trust and risk handling, while NIST’s broader identity guidance helps anchor confidence in attributed identities and claims. The most common misapplication is treating matching logic as proof of identity, which occurs when weak signals are accepted as authoritative without validation against a trusted identity model.
Examples and Use Cases
Implementing entity resolution rigorously often introduces false-positive and false-negative tradeoffs, requiring organisations to weigh investigative speed against the risk of merging unrelated actors or missing linked activity.
- AML teams link a customer, a mule account, and a payout wallet that use different onboarding details but share the same device and funding pattern.
- Sanctions screening connects a vendor record in one system to a beneficial owner in another, reducing the chance that related parties stay hidden behind naming variation.
- Fraud analysts unify login accounts, shipping addresses, and payment instruments into a single actor view to identify synthetic identity behaviour.
- NHI teams map service accounts, API keys, and automation jobs to the same workload owner so orphaned access does not look like separate low-risk identities. NHI Mgmt Group notes that only 5.7% of organisations have full visibility into their service accounts, which makes this linkage especially important.
- Threat hunters correlate device, IP, and credential reuse across environments to reveal whether one operator is moving through multiple systems under different records.
For organisations building identity graphs, the NHI context is especially relevant because the same actor may control human and non-human credentials across cloud, code, and operations. Research from Ultimate Guide to NHIs — The NHI Market is a useful reference point when entity resolution must extend beyond people and into service accounts and secrets.
Why It Matters for Security Teams
Security teams depend on entity resolution because controls only work when the organisation knows what, or who, is actually being controlled. Poor resolution creates blind spots in sanctions checks, weakens AML investigations, and fragments incident response by hiding related accounts behind separate records. It also becomes a governance issue when access decisions, monitoring thresholds, or case escalations are made against incomplete identity context.
The risk is not theoretical in non-human identity environments. NHI Mgmt Group reports that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, and that 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation. If those identities cannot be resolved back to a trusted owner or workload, revocation, rotation, and containment become slow and error-prone. The operational implication is that entity resolution supports both preventive control and post-incident attribution.
For governance teams, the NIST Cybersecurity Framework 2.0 helps structure that trust lifecycle, while identity verification guidance from NIST SP 800-63 reinforces the need to distinguish claimed identity from inferred linkage. Organisations typically encounter the full cost of weak entity resolution only after an alert, audit, or enforcement action exposes missed connections, at which point the term becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63, NIST AI RMF and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OV | CSF 2.0 governs oversight of information trust and risk decisions tied to entity linkage. |
| NIST SP 800-63 | IAL | Identity assurance levels help separate asserted identity from inferred record matching. |
| NIST AI RMF | AI RMF applies where models score or automate entity matching decisions. | |
| NIST SP 800-53 Rev 5 | IA-4 | Identifier management controls support accurate mapping of records to real actors. |
| OWASP Non-Human Identity Top 10 | NHI guidance highlights ownership, visibility, and lifecycle issues that resolution must support. |
Treat matched records as hypotheses until assurance and evidence meet required identity confidence.