TL;DR: The DOJ’s new Data Security Program broadens bulk data risk beyond direct sales to include who can reach sensitive U.S. data through privileged accounts, cloud entitlements, vendors, and AI agents, according to Delinea. Compliance now hinges on identity-to-data access control, because access paths can create violations even without a breach.
NHIMG editorial — based on content published by Delinea: Why identity security is key to the Department of Justice’s new Bulk Data Rule
By the numbers:
- Studies show that the ratio of non-human to human identities can be as high as 46:1, creating a vast, often unmanaged attack surface.
Questions worth separating out
Q: How should security teams govern access to bulk data under the DOJ rule?
A: Security teams should govern every identity that can reach bulk data, not just the users who approve or view it.
Q: Why do non-human identities increase bulk data compliance risk?
A: Non-human identities increase risk because they often hold broad, persistent, and poorly reviewed access to data systems.
Q: What breaks when cloud entitlements to sensitive data are not tightly governed?
A: When cloud entitlements are loose, organisations lose control over who can reach regulated datasets through inherited roles, shared services, and third-party paths.
Practitioner guidance
- Inventory every identity that can touch bulk data Build a current map of human, service, vendor, and workload identities that can query, export, decrypt, or administer sensitive datasets across cloud and on-premises systems.
- Reduce standing privilege on data-bearing systems Replace always-on access with just-in-time access, task-scoped entitlements, and session logging for database, file, and backup platforms that hold regulated data.
- Bring NHI lifecycle controls into compliance workflows Apply recertification, offboarding, and rotation to API keys, service accounts, and vendor credentials so access cannot outlive the business justification for the data relationship.
What's in the full article
Delinea's full article covers the operational detail this post intentionally leaves for the source:
- How the DOJ’s Data Security Program maps to specific access patterns across cloud, vendors, and on-premises systems.
- Practical examples of privileged access, CIEM, ITDR, and IGA controls applied to bulk data environments.
- The compliance timing details, including the good-faith treatment window and later due-diligence requirements.
- Identity-based interpretations of sensitive data transactions that can help legal, security, and compliance teams align.
👉 Read Delinea's analysis of the DOJ Bulk Data Rule and identity security →
Bulk data rule governance: what IAM teams need to lock down?
Explore further
Identity security is now part of the DOJ compliance boundary. The Bulk Data Rule does not only care whether data is encrypted or stored in the right place, it cares who can reach it and under what conditions. That makes privileged access, third-party access, and NHI governance compliance controls, not just security hygiene. Practitioners should treat identity-to-data paths as regulated surfaces.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: Who is accountable when a vendor or AI workload causes bulk data exposure?
A: Accountability sits with the organisation that allowed the access path to exist, even when the immediate actor is a vendor or workload identity. That means security, IAM, legal, and compliance teams must prove that the access was necessary, time-bound, and reviewed. If they cannot, the governance failure is internal, not external.
👉 Read our full editorial: Bulk data rule compliance now depends on identity security