An identity graph is a relationship map that connects identities, assets, data, and permissions so teams can see how access actually flows. In NHI programmes, it helps explain which agent is related to which owner, which system, and which policy boundary.
Expanded Definition
An identity graph is a relationship layer that connects non-human identities, human owners, workloads, services, data stores, roles, and permissions so access can be analysed as a system, not as isolated accounts. In NHI programmes, that matters because the graph reveals who or what can act on behalf of an agent, which secrets unlock it, and which policy boundary should contain it.
Definitions vary across vendors, but the operational purpose is consistent: surface transitive trust, hidden privilege chains, and stale relationships that a simple inventory cannot show. A useful identity graph typically spans provisioning data, directory data, cloud entitlements, secrets usage, and runtime signals, then normalises them into a view that supports governance and incident response. This is closely aligned with the visibility and least-privilege themes in the Ultimate Guide to NHIs and the identity-breach patterns described in 52 NHI Breaches Analysis. The most common misapplication is treating the identity graph as a static CMDB, which occurs when teams model objects but do not continuously update live entitlements and secret dependencies.
For broader governance context, NIST Cybersecurity Framework 2.0 emphasises asset and access understanding across the organisation, and that same logic applies here when the graph is used to support identity governance and control validation.
Examples and Use Cases
Implementing an identity graph rigorously often introduces data quality and integration overhead, requiring organisations to weigh richer visibility against the cost of continuously reconciling fragmented identity sources.
- Security teams trace a service account from a CI/CD pipeline to the cloud role, secret vault entry, and database schema it can reach, then remove unused edges to reduce blast radius.
- Governance teams identify an AI agent that inherits permissions from a parent application role, but also has direct API key access that bypasses the intended control path.
- During an incident, analysts use the graph to determine which workloads shared a compromised secret and which systems need immediate revocation and rotation.
- Platform teams compare actual access paths with policy design to see where RBAC is too coarse and where JIT or ZSP patterns are needed for high-risk agents.
- Research from the Top 10 NHI Issues shows how missed visibility and entitlement sprawl are common failure points, especially when the graph does not include runtime behaviour.
In standards terms, the access relationships should also be reviewed against NIST Cybersecurity Framework 2.0 so that identity data supports governance, detection, and response rather than sitting as a passive diagram.
Why It Matters in NHI Security
Identity graphs matter because NHI risk is rarely caused by one account alone. It is usually the combination of a secret, an overprivileged role, a forgotten integration, and a trusted automation path. Without graph-based visibility, teams miss transitive access and assume a token only reaches one system when it may actually unlock several downstream services. That is why NHI Mgmt Group reports that only 5.7% of organisations have full visibility into their service accounts, even though NHIs outnumber human identities by 25x to 50x in modern enterprises. The same visibility gap appears in breach analysis and response guidance in the Cisco DevHub NHI breach and the JetBrains GitHub plugin token exposure.
For agentic systems, the graph becomes even more important because an Ultimate Guide to NHIs — What are Non-Human Identities model must show not just what an agent can access, but what delegated authority it inherited and how that authority is bounded. Organisations typically encounter the consequences of a weak identity graph only after a token leak, lateral movement event, or audit failure, at which point the graph becomes operationally unavoidable to reconstruct access and contain damage.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers secret and entitlement visibility needed for identity graphs. |
| NIST CSF 2.0 | PR.AC-4 | Identity graphs support least-privilege access control and review. |
| NIST Zero Trust (SP 800-207) | AC-4 | Zero Trust requires explicit, continuous verification of access paths. |
Map identities, secrets, and privilege paths continuously, then remove stale or excessive relationships.
