Bulk data rule governance: what IAM teams need to lock down

TL;DR: The DOJ’s new Data Security Program broadens bulk data risk beyond direct sales to include who can reach sensitive U.S. data through privileged accounts, cloud entitlements, vendors, and AI agents, according to Delinea. Compliance now hinges on identity-to-data access control, because access paths can create violations even without a breach.

NHIMG editorial — based on content published by Delinea: Why identity security is key to the Department of Justice’s new Bulk Data Rule

By the numbers:

• Studies show that the ratio of non-human to human identities can be as high as 46:1, creating a vast, often unmanaged attack surface.

Questions worth separating out

Q: How should security teams govern access to bulk data under the DOJ rule?

A: Security teams should govern every identity that can reach bulk data, not just the users who approve or view it.

Q: Why do non-human identities increase bulk data compliance risk?

A: Non-human identities increase risk because they often hold broad, persistent, and poorly reviewed access to data systems.

Q: What breaks when cloud entitlements to sensitive data are not tightly governed?

A: When cloud entitlements are loose, organisations lose control over who can reach regulated datasets through inherited roles, shared services, and third-party paths.

Practitioner guidance

• Inventory every identity that can touch bulk data Build a current map of human, service, vendor, and workload identities that can query, export, decrypt, or administer sensitive datasets across cloud and on-premises systems.
• Reduce standing privilege on data-bearing systems Replace always-on access with just-in-time access, task-scoped entitlements, and session logging for database, file, and backup platforms that hold regulated data.
• Bring NHI lifecycle controls into compliance workflows Apply recertification, offboarding, and rotation to API keys, service accounts, and vendor credentials so access cannot outlive the business justification for the data relationship.

What's in the full article

Delinea's full article covers the operational detail this post intentionally leaves for the source:

• How the DOJ’s Data Security Program maps to specific access patterns across cloud, vendors, and on-premises systems.
• Practical examples of privileged access, CIEM, ITDR, and IGA controls applied to bulk data environments.
• The compliance timing details, including the good-faith treatment window and later due-diligence requirements.
• Identity-based interpretations of sensitive data transactions that can help legal, security, and compliance teams align.

👉 Read Delinea's analysis of the DOJ Bulk Data Rule and identity security →

Bulk data rule governance: what IAM teams need to lock down?

Explore further

View Full Forum →  |  NHI Foundation Course →