Evidence that is continuously updated and traceable as the environment changes, rather than captured once in a static export. It is valuable in audits because it preserves context and change history, but only if source integrity and chain of custody are maintained.
Expanded Definition
Living Evidence is audit material that stays current as systems, identities, and controls change, rather than freezing a point-in-time export. In NHI governance, that matters because secrets, service accounts, agent permissions, and policy state can shift daily.
The term is not yet governed by a single universal standard, so usage in the industry is still evolving. In practice, it sits at the intersection of evidence collection, change tracking, and chain of custody. A useful reference point is the NIST Cybersecurity Framework 2.0, which emphasizes ongoing governance and repeatable control verification rather than one-time proof. For NHI programs, that means evidence should preserve who changed what, when, and why, while remaining trustworthy enough to support audit, incident response, and remediation.
The most common misapplication is treating a screenshot, CSV export, or one-off report as living evidence when the source system can change immediately after capture.
Examples and Use Cases
Implementing living evidence rigorously often introduces operational overhead, requiring organisations to balance audit confidence against the cost of continuous collection and integrity verification.
- A vault access log that updates as secrets are rotated, showing the before-and-after state of each credential event, not just a monthly export.
- An entitlement review for service accounts that remains linked to the source IAM system, so access changes are reflected without manual rework.
- An incident package that includes immutable references to the original artifact, plus current context about affected agents, tokens, and certificates.
- A control dashboard aligned to NIST Cybersecurity Framework 2.0 functions, where evidence updates automatically as remediation status changes.
- A breach review following the kind of secret exposure discussed in JetBrains GitHub plugin token exposure, where investigators need a timeline that preserves context across rotation, revocation, and containment.
For NHI teams, this approach is most useful when auditors need to trace a control through multiple identity events, or when an agent’s permissions must be proven at the time of execution and at the time of review.
Why It Matters in NHI Security
Living evidence reduces the gap between what security teams believe is true and what is actually enforced in production. That gap matters because NHI environments move quickly, and stale evidence can hide privilege drift, delayed rotation, weak offboarding, or secret reuse across pipelines and agents.
NHIMG research shows that JetBrains GitHub plugin token exposure is an example of how credential exposure becomes difficult to contain when evidence is fragmented or outdated. The broader picture is just as stark: 71% of NHIs are not rotated within recommended time frames, increasing compromise risk over time. That is why living evidence is not just an audit convenience. It is a control assurance mechanism that supports Zero Trust verification, incident reconstruction, and faster remediation. It also aligns with the operating logic behind identity-centric resilience in the NIST Cybersecurity Framework 2.0.
Organisations typically encounter the need for living evidence only after a breach, failed audit, or disputed control finding, at which point the term becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.RM-01 | CSF 2.0 expects ongoing risk governance and evidence that reflects current state. |
| NIST Zero Trust (SP 800-207) | SC-02 | Zero Trust requires continuous verification, which depends on current, trustworthy evidence. |
| OWASP Non-Human Identity Top 10 | NHI-07 | NHI guidance stresses traceability for secrets, service accounts, and privileged access. |
Use living evidence to prove access, rotation, and policy state continuously, not just at audit time.
Related resources from NHI Mgmt Group
- What evidence is needed to understand the impact of shadow AI agents?
- When does just-in-time access help most in DORA evidence collection?
- What is the difference between policy compliance and evidence-based compliance for AI systems?
- How can organisations reduce manual effort in access certification and evidence collection?
