Notifications
Clear all
Topic starter
04/06/2026 3:04 pm
TL;DR: NHI enrichment attaches ownership, dependencies, behavioral baselines, and credential relationships to non-human identities so teams can turn scattered logs and alerts into decisions, according to Oasis Security. The deeper shift is that blast radius, anomaly review, and remediation all depend on context that most identity programmes still do not have.
NHIMG editorial — based on content published by Oasis Security: Inside Oasis’s NHI Enrichment Layer, how context gets built
Questions worth separating out
Q: How should teams enrich non-human identities before rotating credentials?
A: Start by attaching ownership, consumers, downstream resources, and credential relationships to each identity.
Q: Why do non-human identities need behavioral baselines?
A: Because the same authentication event can be routine for one identity and suspicious for another.
Q: What breaks when ownership is missing for an NHI?
A: Lifecycle governance breaks first, because no one can confidently approve rotation, offboarding, or recertification.
Practitioner guidance
- Map every production NHI to an accountable owner Require an application, team, or vendor owner for each service principal, API key, token, or certificate before it is allowed to remain in production.
- Build dependency-aware rotation runbooks Document which applications, workflows, and consumers will fail if a secret changes, then test rotation against that dependency map before shortening credential lifetimes.
- Baseline identity behavior by consumer group Define normal activity using the identity's own source network, geography, credential type, and access pattern.
What's in the full article
Oasis Security's full blog post covers the operational detail this post intentionally leaves for the source:
- The live graph model showing how consumers, resources, and secrets are linked for each identity
- The specific integration sources Oasis uses to deepen ownership, dependency, and sensitivity context
- The behavioral baseline logic used to flag new consumer groups and unusual credential patterns
- The timeline view that ties identity-provider changes to remediation and ownership updates
👉 Read Oasis Security's analysis of NHI enrichment and identity context →
NHI enrichment layers: what context teams still lack in practice?
Explore further
04/06/2026 3:18 pm
Context is now the control plane for NHI governance. Identity programmes fail when they treat secrets, logs, and entitlement data as separate records instead of a single operational story. Enrichment turns those fragments into a decision surface for rotation, investigation, and decommissioning. The practitioner conclusion is simple: without identity-linked context, control design stays reactive.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which explains why enrichment and attribution are still so operationally hard.
A question worth separating out:
Q: How can security teams use NHI context to reduce blast radius?
A: They should map every identity to the applications, data stores, and business workflows it can affect, then review those dependencies before making access changes. Blast radius becomes manageable when teams understand who uses the identity, what it reaches, and which services depend on it.
👉 Read our full editorial: NHI enrichment layers expose the context gap in identity security
