Subscribe to the Non-Human & AI Identity Journal

How should security teams reduce data loss when a small number of users drive most incidents?

Focus controls on the identities and workflows that create disproportionate exposure. Use behaviour analytics, tighter approval paths, and targeted monitoring for high-risk users rather than applying the same intensity to every account. The goal is to shrink the blast radius where loss is most likely, while preserving usability for low-risk access patterns.

Why This Matters for Security Teams

When a small number of users account for most data loss events, the problem is rarely “all users are risky.” It is usually a concentration issue: a few identities have broader access, higher transaction volume, or more opportunities to move sensitive data out of approved channels. That makes blanket controls expensive and often ineffective, because the strongest restrictions land on people who are not driving the exposure. Current guidance from NIST Cybersecurity Framework 2.0 supports focusing protection effort where business risk is highest, not only where account counts are largest.

Security teams often miss the operational reality that leakage is usually tied to workflow, not just user identity. A finance approver, support engineer, developer, or executive assistant may have legitimate reasons to handle large volumes of sensitive material, which means the control question is not “who is trusted” but “which paths allow loss to occur.” In practice, that means separating routine access from high-impact actions, and treating data movement, sharing, export, and privilege escalation as distinct risk points. In practice, many security teams encounter the highest-loss identities only after a sensitive transfer, rather than through intentional monitoring.

How It Works in Practice

Effective reduction of data loss starts with identifying the small set of users, roles, and workflows that account for most exposure. Security teams should combine behaviour analytics, data classification, and access telemetry to distinguish ordinary activity from patterns that deserve review. The objective is not to inspect every action equally, but to create sharper controls around the few identities that repeatedly touch regulated, confidential, or high-value information.

In most environments, this means layering controls rather than relying on one mechanism:

  • Use behaviour analytics to flag unusual download volumes, abnormal sharing, bulk exports, or off-hours access.
  • Tighten approval paths for sensitive actions such as external sharing, privilege elevation, and large data transfers.
  • Apply step-up verification or secondary review only where the workflow indicates elevated loss potential.
  • Monitor high-risk users more closely, while keeping low-risk access paths efficient enough to preserve productivity.
  • Review whether the same user needs broad standing access, or whether just-in-time access would reduce unnecessary exposure.

This is also where identity governance matters. If the same few people repeatedly generate incidents, those identities may need more frequent entitlement review, stronger authentication, and better separation of duties. For environments with privileged access, the question is not just who can reach the data, but who can alter settings, create exports, or approve exceptions. Guidance from CISA on data exfiltration is useful here because it frames loss as an observable chain of actions, not a single event.

Telemetry should also be tuned to the path most likely to produce loss. That includes cloud collaboration tools, email forwarding rules, endpoint downloads, API access, and admin consoles. If a small user segment creates the majority of incidents, then logging, alerting, and case management should concentrate on those segments first, with alert thresholds adjusted to reduce noise. These controls tend to break down in highly dynamic environments where users constantly change roles, because risk scoring becomes stale faster than review cycles can update it.

Common Variations and Edge Cases

Tighter control often increases review overhead and can slow legitimate work, requiring organisations to balance data protection against operational friction. That tradeoff becomes more pronounced when the high-risk users are also the most business-critical, such as executives, incident responders, or developers with broad production access. Best practice is evolving here: there is no universal standard for how much monitoring is acceptable, so privacy, labour, and regional regulatory constraints must be considered alongside security needs.

Some users create outsized risk because of temporary context rather than job title. A contractor with short-term admin access, a new hire still learning safe handling practices, or a helpdesk analyst with elevated troubleshooting rights may warrant the same targeted treatment as a permanent power user. In those cases, focus on the workflow that enables the incident, not only the person. If the same action is repeatedly associated with data loss, stronger approval, alerting, and session oversight are justified even when the user population is small.

Where agentic AI or automation can trigger data movement, the identity question extends beyond human users. Current practice suggests those systems should be treated like high-risk actors when they can retrieve, transform, or transmit sensitive data, and their permissions should be constrained accordingly. The most common failure mode is assuming a low headcount means low risk, when in reality a handful of privileged workflows or automated accounts account for most of the damage.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AC-4 Least-privilege access is central when a few identities drive most loss.
MITRE ATT&CK T1020 Automated exfiltration techniques map to concentrated loss patterns.
OWASP Non-Human Identity Top 10 NHI-03 Privileged non-human identities can become the same small set of high-loss actors.

Review machine identities with broad access and reduce standing permissions where possible.