An identity governance approach that changes access decisions as context changes. Instead of relying only on fixed review cycles, it uses current risk, role, behaviour, and application sensitivity to decide whether access should continue, be reduced, or be revoked.
Expanded Definition
Adaptive Identity is an identity governance pattern that continuously recalculates access based on live context, rather than treating approval as a one-time event. In NHI operations, that context can include workload risk, token age, role drift, application sensitivity, geolocation, and anomalous behaviour. The concept sits between classical IAM and policy-driven Zero Trust, but usage in the industry is still evolving and definitions vary across vendors.
For Non-Human Identity programs, Adaptive Identity is most valuable where static RBAC cannot keep pace with machine speed changes. A service account that is safe in one pipeline stage may become high risk when a deployment shifts to production or when a secret is exposed. That is why NIST Cybersecurity Framework 2.0 and NIST Cybersecurity Framework 2.0 are often used as governance anchors, while NHI teams map the live access decision to controls, telemetry, and revocation logic. The most common misapplication is equating adaptive access with periodic recertification, which occurs when organisations only review entitlements at fixed intervals and miss the context shift that actually makes access unsafe.
Examples and Use Cases
Implementing Adaptive Identity rigorously often introduces policy complexity and telemetry dependency, requiring organisations to weigh faster risk response against tighter integration across identity, security, and application platforms.
- A build service account is allowed to deploy only while it is running inside an approved CI/CD runner and only if the associated secret has not appeared in recent leak monitoring. When the context changes, access is reduced or revoked.
- An AI Agent with tool access is granted JIT permissions for a single task window, then loses write access once the workflow completes. This reduces blast radius without forcing permanent overprovisioning.
- A privileged API key is automatically stepped down when the request originates from a new network segment or when behaviour deviates from the baseline established in the Ultimate Guide to NHIs.
- During incident response, a suspicious service account can be constrained to read-only mode while analysts compare logs against patterns documented in the 52 NHI Breaches Analysis.
- Security teams align the decision logic with NIST Cybersecurity Framework 2.0 by feeding identity telemetry into access enforcement, detection, and response workflows.
Why It Matters in NHI Security
Adaptive Identity matters because NHIs rarely fail in a neat, human-reviewed sequence. They are often compromised through exposed Secrets, stale privileges, or forgotten integrations that continue to operate long after the original business need has changed. NHIMG research shows that Ultimate Guide to NHIs reports 97% of NHIs carry excessive privileges, which makes static access models especially dangerous when a workload becomes compromised.
That risk becomes more severe when access decisions ignore breach signals from adjacent systems. NHI teams frequently use cases such as the Cisco DevHub NHI breach and the JetBrains GitHub plugin token exposure to illustrate how quickly machine identities can be abused once a token or key is in the wrong place. In governance terms, Adaptive Identity supports least privilege, ZSP, and Zero Trust by making access contingent on current risk rather than historical approval. Organisations typically encounter its value only after a secret leak, lateral movement, or abnormal automation event, at which point Adaptive Identity becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers secret handling and excessive privilege risks common in adaptive access decisions. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires dynamic verification of identity and context before access is granted. | |
| NIST CSF 2.0 | PR.AC-4 | Least privilege and access management map directly to adaptive entitlement enforcement. |
Continuously re-evaluate NHI privileges and revoke access when risk signals exceed policy thresholds.
