NHI enrichment layers expose the context gap in identity security

At a glance

What this is: Oasis Security frames NHI enrichment as the process of attaching ownership, dependencies, behavioral baselines, and credential relationships to each non-human identity so scattered signals become actionable decisions.

Why it matters: For IAM, PAM, and security teams, the context gap is what blocks safe rotation, reliable investigation, and realistic blast-radius analysis across NHI, autonomous, and human identity programmes.

👉 Read Oasis Security's analysis of NHI enrichment and identity context

Context

NHI enrichment is the missing context layer for non-human identity governance. A service account, secret, or agent can be visible in one system and still be operationally opaque if ownership, consumers, dependencies, and business impact are not connected back to the identity itself.

That gap matters because identity teams increasingly manage fragmented evidence across IdPs, vaults, SIEMs, and ITSM tools. When context is absent, rotation becomes risky, anomaly detection becomes noisy, and lifecycle decisions become guesswork rather than governance.

Key questions

Q: How should teams enrich non-human identities before rotating credentials?

A: Start by attaching ownership, consumers, downstream resources, and credential relationships to each identity. Rotation is safer when teams know what depends on the secret, which workloads authenticate with it, and what will break if it changes. Without that context, rotation becomes a blind change rather than a governed action.

Q: Why do non-human identities need behavioral baselines?

A: Because the same authentication event can be routine for one identity and suspicious for another. Baselines let teams compare access patterns against the identity's own history, so anomalies are judged in context instead of by generic thresholds. That reduces alert noise and improves investigation quality.

Q: What breaks when ownership is missing for an NHI?

A: Lifecycle governance breaks first, because no one can confidently approve rotation, offboarding, or recertification. Investigation quality also drops, since incidents cannot be routed to the right team quickly. In practice, unowned NHIs become hidden operational risk and persistent access debt.

Q: How can security teams use NHI context to reduce blast radius?

A: They should map every identity to the applications, data stores, and business workflows it can affect, then review those dependencies before making access changes. Blast radius becomes manageable when teams understand who uses the identity, what it reaches, and which services depend on it.

Technical breakdown

Identity graph enrichment for non-human identities

NHI enrichment works by binding multiple evidence streams to the identity object rather than leaving them in separate tools. The graph model in the article links consumers, resources, and secrets so teams can see who is authenticating, what the identity can reach, and which credential connects the two. That architecture matters because a permission set alone does not tell you whether a service principal is still in use, which downstream workloads depend on it, or whether a secret is safe to rotate. The result is a living identity record, not a static inventory.

Practical implication: build a single identity view that ties ownership, usage, and secrets together before changing access.

Behavioral baselines and NHI anomaly detection

The article describes behavioral enrichment as a baseline model built from consumer groups and observed access patterns. In practice, that means normal is defined by stable signals such as network source, geography, internal versus public access, and credential usage, then compared over rolling windows. This is useful because an access event can be legitimate, suspicious, or both depending on the identity's own history. Without identity-specific baselines, teams either miss real abuse or drown in alerts that lack context.

Practical implication: tune anomaly detection around identity-specific baselines instead of generic event thresholds.

Vendor attribution and operational dependency mapping

A key part of NHI enrichment is attribution: identifying what application, team, or third party is actually behind a given non-human identity. The article shows that naming, metadata, observed dependencies, and credential relationships can be combined to group sprawl into legible business entities. That is what turns raw identity data into governance evidence. It also changes investigation quality, because a service principal tied to a vendor or critical workflow carries different risk than an isolated test account with the same permissions.

Practical implication: require ownership and dependency attribution for every production NHI before approving long-lived access.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Context is now the control plane for NHI governance. Identity programmes fail when they treat secrets, logs, and entitlement data as separate records instead of a single operational story. Enrichment turns those fragments into a decision surface for rotation, investigation, and decommissioning. The practitioner conclusion is simple: without identity-linked context, control design stays reactive.

The posture trap is a context problem, not a visibility problem. Teams often have the data but cannot safely act on it because the data does not say what breaks if an identity changes. That is why enrichment matters more than another dashboard or alert feed. The practitioner conclusion is to measure whether findings can be turned into action without manual correlation.

Ownership attribution is the missing governance primitive for NHI sprawl. If an identity cannot be tied to an application, vendor, or accountable team, it cannot be governed cleanly through lifecycle processes. This is where NHI governance meets IGA and PAM practice. The practitioner conclusion is to treat unattributed identities as open governance debt, not administrative clutter.

NHI enrichment also changes how agentic access will be governed. Agent-aware programmes will need the same context primitives, but with tighter expectations around runtime dependency changes and decision timing. That makes enrichment a cross-domain pattern spanning NHI, autonomous systems, and human oversight. The practitioner conclusion is to design context models that survive actor-type expansion, not just current service-account sprawl.

Identity blast radius is the named concept this article sharpens. The article shows that blast radius is not a theoretical access-map exercise. It is the set of resources, consumers, and business processes that become exposed when an identity fails, and that set can only be known when the identity is enriched. The practitioner conclusion is to treat blast-radius mapping as a continuous governance function, not a one-time review.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which explains why enrichment and attribution are still so operationally hard.
• For a broader governance baseline, NHI Lifecycle Management Guide shows how visibility, rotation, and offboarding fit together across the full identity lifecycle.

What this signals

Identity blast radius will become a board-level metric before it becomes a tooling feature. When teams can see consumers, resources, and secrets in one place, they can explain operational exposure in business terms instead of security jargon. That is the kind of context that makes NHI risk legible to IAM leaders and compliance teams alike.

With 97% of NHIs carrying excessive privileges, the governance problem is no longer discovery alone. The issue is whether the programme can convert raw identity data into accountable ownership, safe rotation, and defensible cleanup decisions.

Runtime context will matter more as agentic identity becomes normalised. The same enrichment model that clarifies service-account risk also provides the scaffolding for autonomous access oversight, because dependencies, business criticality, and behavioral change all need to be visible before action. Teams that build this now will be better placed to govern the next wave of machine identities.

For practitioners

• Map every production NHI to an accountable owner Require an application, team, or vendor owner for each service principal, API key, token, or certificate before it is allowed to remain in production. Treat unattributed identities as governance exceptions that block renewal, rotation approval, and recertification.
• Build dependency-aware rotation runbooks Document which applications, workflows, and consumers will fail if a secret changes, then test rotation against that dependency map before shortening credential lifetimes. The point is to prevent outages caused by rotating a credential that nobody has mapped to its consumers.
• Baseline identity behavior by consumer group Define normal activity using the identity's own source network, geography, credential type, and access pattern. Use those baselines to separate expected service traffic from out-of-pattern access that needs review.
• Promote context-linked findings into lifecycle work Convert unresolved NHI findings into named cleanup work packages that include ownership, remediation sequence, and downstream dependencies. That keeps enrichment from becoming passive metadata and turns it into an operational backlog.

Key takeaways

• NHI enrichment is about decision-making context, not more data.
• Without ownership, dependencies, and behavioral baselines, rotation and investigation remain guesswork.
• Blast-radius mapping becomes trustworthy only when every identity is tied back to the systems and consumers that depend on it.

Key terms

• NHI Enrichment: NHI enrichment is the process of attaching operational context to a non-human identity so it can be governed as something more than a record in a vault or IdP. In practice, that means connecting ownership, dependencies, credentials, and observed behavior to the identity itself so teams can act with confidence.
• Identity Blast Radius: Identity blast radius is the set of systems, data, and workflows that can be affected if an identity fails, is abused, or is removed. For non-human identities, this depends on live dependencies and real consumers, not just the permissions shown in a directory or policy console.
• Behavioral Baseline: A behavioral baseline is the pattern of normal activity established for a specific identity or consumer group over time. It helps teams decide whether a login or access event is expected, unusual, or risky. In NHI governance, baselines must be identity-specific because shared rules create too much noise.
• Ownership Attribution: Ownership attribution is the process of tying an identity to an accountable application, vendor, or internal team. It is a governance requirement, not a nice-to-have, because lifecycle actions such as rotation, offboarding, and recertification depend on knowing who is responsible for the identity and its downstream impact.

Deepen your knowledge

NHI enrichment, identity blast radius, and lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a context-driven governance programme from the same starting point, it is worth exploring.

This post draws on content published by Oasis Security: Inside Oasis’s NHI Enrichment Layer, how context gets built. Read the original.