APM is enough when the main problem is application performance and transaction tracing. It is not enough when the question is whether a credential, service account, or AI agent behaved within its intended authority. If the security question involves access legitimacy, teams need observability plus identity context.
Why This Matters for Security Teams
APM gives teams a strong view of latency, traces, and service health, but that visibility stops short of answering the security question most practitioners actually face: did this credential, service account, or agent act within its intended authority? When the issue is access legitimacy, performance telemetry alone cannot show whether a token was misused, a secret was overexposed, or a workload exceeded its role.
This distinction matters because NHI failures are often invisible until damage is already underway. NHIMG research in the State of Non-Human Identity Security shows that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps. That visibility gap is a security problem, not an observability problem. APM can confirm that a call succeeded; it cannot confirm that the call was authorised by policy, bound to the right identity, or constrained by the right scope. Current guidance from NIST Cybersecurity Framework 2.0 points teams toward governance, protection, and continuous monitoring, which is the right direction when identity context matters.
In practice, many security teams encounter credential abuse only after an incident response is already underway, rather than through intentional detection.
How It Works in Practice
The practical test is simple: if a team only needs to understand service performance, APM may be sufficient. If the team needs to understand who or what made a request, what authority it had, and whether that authority was appropriate at that moment, APM must be paired with identity-aware telemetry. That means correlating traces and logs with workload identity, secret provenance, token scope, and policy decisions.
For NHIs, the operational pattern usually starts with inventory and lifecycle controls. The NHI Lifecycle Management Guide and Top 10 NHI Issues both reinforce the same idea: access must be provisioned, monitored, rotated, and retired with identity context attached. In practice, teams should log:
- the workload or agent identity that initiated the action
- the secret or token used, including expiration and scope
- the policy decision that allowed the action
- the target resource and the privilege path used
- the revocation or rotation event if the action was JIT or ephemeral
This is where observability tools, SIEM pipelines, and identity systems need to intersect. APM can still provide useful trace IDs, but security teams need to enrich those traces with RBAC context, JIT credential metadata, and zero standing privilege signals. NIST’s zero trust guidance is helpful here because it treats each request as a policy decision, not a blanket trust assumption. The goal is to detect not just failure, but misuse of legitimate access.
These controls tend to break down when environments rely on long-lived shared secrets and inconsistent service tagging, because attribution becomes too weak to prove intent.
Common Variations and Edge Cases
Tighter identity-aware monitoring often increases integration overhead, so organisations have to balance better attribution against tool complexity and data quality. There is no universal standard for this yet, and current guidance suggests the right answer depends on whether the workload is deterministic, human-operated, or autonomous.
For classic microservices, a strong APM stack plus workload identity may be enough. For outsourced integrations, third-party OAuth apps, and especially AI agents, the bar is higher because behavior is more dynamic and harder to predict. The JetBrains GitHub plugin token exposure case is a reminder that exposed secrets can turn routine automation into unauthorised access. For this reason, teams should favour short-lived credentials, explicit policy checks, and revocation paths over static trust. The Ultimate Guide to NHIs — Key Challenges and Risks is useful when deciding where lifecycle risk turns into visibility risk.
The main edge case is highly distributed systems with ephemeral workloads and sparse logging. In those environments, APM may still be valuable, but it cannot be the security control of record because it lacks the authority context needed to prove legitimate access.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Credential rotation and lifecycle controls are central when APM cannot show authority. |
| NIST CSF 2.0 | PR.AC-4 | Access control governance explains why identity context must complement telemetry. |
| NIST AI RMF | GOVERN | Autonomous or AI-driven access needs accountability beyond performance observability. |
Track NHI token age, rotate secrets, and revoke access when usage exceeds intended scope or TTL.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 1, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
