Subscribe to the Non-Human & AI Identity Journal

Integrity Check

An integrity check compares a current value with a trusted reference to detect alteration. In practice it helps confirm that a file, record, or package has not changed, but it does not prove the source is trustworthy or the baseline was protected properly.

Expanded Definition

An integrity check is a verification step that compares a current artifact against a trusted reference so teams can detect alteration, corruption, or unexpected change. In NHI security, that artifact may be a package, a config file, an API payload, a model artifact, or a secret-bearing bundle, but the check only tells you whether the current value matches the baseline. It does not prove who created the baseline, whether the reference itself was protected, or whether the object is safe to use.

Definitions vary across vendors when integrity checks are described alongside cryptographic hashes, checksums, or signature validation. In practice, the stronger the trust requirement, the more the industry expects a signed or attested baseline rather than a simple checksum. That distinction matters in workflows aligned to NIST Cybersecurity Framework 2.0, where integrity supports detection and recovery but does not replace authentication, authorization, or provenance controls.

The most common misapplication is treating a successful match as proof of trust, which occurs when teams verify only the current file and ignore how the baseline was established or protected.

Examples and Use Cases

Implementing integrity checks rigorously often introduces operational overhead, requiring organisations to weigh faster deployment and simpler automation against the cost of baseline management, key protection, and false positives during legitimate updates.

  • A CI/CD pipeline hashes a container image before deployment and compares it with the approved digest so altered images are blocked before release.
  • An application checks an API configuration file against a known-good reference after startup to detect tampering in transit or at rest, while the team keeps the reference under change control.
  • A secrets workflow validates that a credential package matches the expected signed bundle before it is injected into a runtime, reducing exposure to silent modification.
  • A service compares incoming payload checksums during inter-service transfer, then escalates to a deeper trust check when the value matches but the source is still unknown.
  • NHIMG’s Ultimate Guide to NHIs is a useful reference when integrity checks are being used to protect service account assets and secret handling paths.
  • For signed artifacts and verification pipelines, teams often pair integrity checks with NIST Cybersecurity Framework 2.0 outcomes that emphasize detection, response, and recovery.

Why It Matters in NHI Security

Integrity checks are critical because NHI ecosystems depend on machine-speed trust decisions. When a token, key file, certificate bundle, policy document, or agent instruction set is modified without detection, an attacker can redirect automation, impersonate a service, or widen access without immediately tripping authentication controls. That is why NHIMG research is so relevant here: only 5.7% of organisations have full visibility into their service accounts, and 79% have experienced secrets leaks, with 77% of those incidents causing tangible damage, according to the Ultimate Guide to NHIs.

Integrity checks are often paired with Ultimate Guide to NHIs guidance on rotation, offboarding, and visibility because altered artifacts can persist when revocation is slow or incomplete. They also support NIST Cybersecurity Framework 2.0 objectives for detection and recovery after suspicious changes. Practitioners should remember that integrity is a control on state, not a guarantee of origin or intent.

Organisations typically encounter the operational impact only after a secret, package, or agent instruction has already been altered, at which point integrity checks become operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-06 Covers verification and protection of non-human identity artifacts and their integrity.
NIST CSF 2.0 DE.CM Integrity checks support continuous monitoring for unauthorized changes.
NIST Zero Trust (SP 800-207) SC-7 Zero trust relies on verifying trust signals, including object integrity, before access decisions.
CSA MAESTRO Agentic systems require artifact integrity to prevent unsafe tool use and prompt tampering.
NIST SP 800-63 IAL2 Identity proofing concepts help distinguish integrity from true source trust.

Protect agent inputs, tool descriptors, and configs with signed baselines and change detection.