IAM teams should measure how many identities can access customer profile data, how many are standing versus task-scoped, and whether each one has a clear business owner. If the count keeps rising without a corresponding governance review, the programme is scaling experience faster than control.
Why This Matters for Security Teams
Personalisation access often starts as a product capability and ends as an identity sprawl problem. The real risk is not just who can read customer profile data today, but how quickly that access expands through service accounts, integrations, and automation that never goes through the same review cycle as human access. That is why control needs to be measured in live entitlements, ownership, and review cadence, not only in policy documents. Current guidance from the OWASP Non-Human Identity Top 10 treats unmanaged non-human access as a first-class security issue, not a back-office hygiene task.
NHI Management Group’s Ultimate Guide to NHIs shows how often this problem hides in plain sight: only 5.7% of organisations report full visibility into their service accounts, while 97% of NHIs carry excessive privileges. Those numbers matter for personalisation because customer experience teams usually optimise for speed, availability, and cross-system access, which can quietly outpace governance. In practice, many security teams encounter access creep only after a review, audit, or incident forces them to discover how many profile-reading identities already exist.
How It Works in Practice
To measure whether personalisation access is under control, IAM teams should treat every identity that can touch customer profile data as part of a controlled access population. That includes application services, workflow tools, data pipelines, AI-driven recommendation components, and third-party connectors. The question is not simply whether access exists, but whether each identity has a clear owner, a defined purpose, a scope that matches that purpose, and a review path that removes it when the purpose changes. This is where Ultimate Guide to NHIs is useful: it frames visibility, rotation, and offboarding as measurable controls rather than abstract governance goals.
A practical control model usually tracks four things:
- Total identities with access to customer profile systems, segmented by production, test, and third-party use.
- Standing access versus task-scoped access, with task-scoped access expected to dominate sensitive pathways.
- Business owner and technical owner for every identity, including service accounts and automation tokens.
- Review evidence showing when access was last validated, revoked, rotated, or re-scoped.
Teams can strengthen that measurement by using the OWASP Non-Human Identity Top 10 to classify excessive privilege, secret sprawl, and weak lifecycle controls. The metric that usually matters most is not raw count alone, but count growth without governance growth. If customer-profile access increases while owners, reviews, and expiry dates do not keep pace, the programme is scaling experience faster than control. These controls tend to break down when customer data access is embedded in shared platform roles, because no one can reliably separate legitimate product flow from inherited privilege.
Common Variations and Edge Cases
Tighter control over personalisation access often increases operational overhead, requiring organisations to balance faster product iteration against stronger entitlement discipline. That tradeoff becomes sharper when personalisation logic spans multiple clouds, shared data platforms, or vendor-operated services. In those environments, current guidance suggests measuring by effective access, not just assigned roles, because inherited permissions can make a low-privilege account look harmless while still enabling broad data exposure.
One common edge case is ephemeral or task-scoped access used by data enrichment jobs or recommendation services. Those identities may look risky in inventory reports because they are numerous, but they can actually be safer than long-lived standing access if they are short-lived, owner-tagged, and automatically revoked. Another edge case is delegated access through support tools or experimentation platforms, where business teams need broad reach during testing but should lose it after release. The right question is whether the exceptions are documented, time-bound, and reviewed, not whether exceptions exist at all.
For maturity benchmarking, NHI Management Group’s 2024 Non-Human Identity Security Report found that only 19.6% of security professionals express strong confidence in their organisation’s ability to securely manage non-human workload identities, which is a useful warning sign for personalisation programs that assume access inventories are accurate. In the toughest environments, measurement breaks down when entitlement data lives in disconnected tools and nobody can reconcile who can actually read customer profiles at runtime.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Directly addresses excess non-human access and weak entitlement visibility. |
| NIST CSF 2.0 | PR.AC-4 | Covers access management, least privilege, and entitlement review for sensitive data. |
| NIST AI RMF | Useful for measuring governance, accountability, and monitoring around AI-enabled personalisation access. |
Inventory all non-human identities, map each to an owner, and remove broad access that lacks a documented purpose.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org