Subscribe to the Non-Human & AI Identity Journal

OSI Model

A reference model that describes how network communication moves through seven layers, from physical transmission to the application. It helps security teams place controls where traffic is handled, rather than where they assume it is handled.

Expanded Definition

The OSI Model is a seven-layer reference model for understanding where network communication is processed, exposed, or controlled. In NHI security, it is less about packet theory and more about placing controls at the correct layer so service accounts, API keys, certificates, and agent traffic are governed where they actually operate.

Definitions vary across vendors when people apply OSI language to modern cloud and identity stacks, because TLS termination, service meshes, proxies, and application gateways can blur layer boundaries. For that reason, practitioners should treat the model as a placement aid, not as a literal architecture map. Layered thinking is especially useful when correlating network controls with identity controls in standards such as NIST SP 800-53 Rev 5 Security and Privacy Controls and when evaluating how traffic is authenticated, encrypted, inspected, and logged across the stack.

The most common misapplication is assuming a control lives at one OSI layer when it is actually enforced by a neighboring layer or a managed intermediary, which occurs when teams rely on product labels instead of tracing the real traffic path.

Examples and Use Cases

Implementing OSI-layer thinking rigorously often introduces architectural complexity, requiring organisations to weigh clearer control placement against additional operational and troubleshooting overhead.

  • At Layer 4, a firewall may allow or deny traffic between a workload and a database, while the service account used by that workload is governed separately through identity controls and secret rotation.
  • At Layer 6 or 7, a reverse proxy or API gateway may terminate TLS and inspect requests, making it the right place to enforce authentication, rate limits, and token validation for agent calls.
  • During east-west traffic analysis, a security team may use the Ultimate Guide to NHIs to connect service-account visibility gaps with network movement patterns that would otherwise look like ordinary application chatter.
  • When building zero-trust controls, teams often map trust decisions to the layer where identity is asserted, not just where packets are forwarded, aligning with NIST SP 800-53 Rev 5 Security and Privacy Controls guidance on access and monitoring.
  • For certificate-based service authentication, the network path may be visible at lower layers, but the actual trust decision happens higher in the stack where application or transport protections are negotiated.

Why It Matters in NHI Security

OSI literacy matters because NHI failures often begin with misplaced assumptions about where identity, encryption, or authorization is enforced. NHI Mgmt Group reports that only 5.7% of organisations have full visibility into their service accounts in the Ultimate Guide to NHIs, which means many teams cannot reliably tell whether a control failure is occurring at the network, transport, or application layer. That blind spot becomes dangerous when agents, CI/CD systems, or API clients continue to authenticate successfully even after a network boundary has been tightened.

The OSI Model also helps security teams avoid overclaiming coverage. A WAF does not replace credential hygiene, and a private subnet does not eliminate the need for token scoping or certificate rotation. When layered controls are understood correctly, incident responders can isolate whether exposure came from routing, protocol handling, middleware, or application logic. The practical payoff is faster containment and fewer false assumptions about where the compromise originated.

Organisations typically encounter the real importance of OSI mapping only after traffic is intercepted, bypassed, or exfiltrated through a path that the original control design never actually covered, at which point the model becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.PT-4 OSI thinking helps place network protections at the layer where traffic is actually controlled.
NIST SP 800-63 The model supports tracing where authentication occurs versus where transport is merely carried.
NIST Zero Trust (SP 800-207) Zero Trust depends on placing verification at the correct enforcement point across the stack.
OWASP Non-Human Identity Top 10 NHI-01 Layer confusion can hide where NHI credentials are used, stored, or exposed in the request path.
NIST AI RMF Agentic systems rely on layered communication paths that must be understood to manage operational risk.

Map each network control to the real processing layer and verify it still functions after proxies or gateways are added.