When baselines ignore the resource, they collapse very different risks into the same tool-level signal. A query against public analytics and a query against a finance ledger can look identical if the model only tracks the verb. That makes the baseline blind to the real control boundary and weakens any deviation decision.
Why This Matters for Security Teams
Behavioural baselines only work when they reflect the real control boundary, and the resource being accessed is usually that boundary. If a model watches only the verb, it can miss the difference between harmless read access and sensitive data access, turning a useful anomaly signal into noise. That is especially dangerous for NHIs, where privilege is often broad and machine-to-machine activity is high volume. NHI Mgmt Group notes that Ultimate Guide to NHIs highlights how deeply NHIs are embedded across modern enterprises, which means weak behavioural models can affect many systems at once.
This matters because the same action can carry very different risk depending on the target. A service account querying a public analytics bucket may be normal, while the same account touching a finance ledger or secrets store should trigger scrutiny. The OWASP Non-Human Identity Top 10 treats overbroad trust and weak governance as core identity risks, and resource-aware context is part of that problem. In practice, many security teams only discover the gap after a low-signal baseline has already approved access to the wrong asset.
How It Works in Practice
Resource-aware baselines separate the action from the target. Instead of asking only “did this identity run a query,” the control asks “what was queried, against which class of resource, under what context, and is that combination normal for this workload?” That is important for agentic and automated systems, but it also applies to conventional service accounts. A baseline that includes resource sensitivity can distinguish between routine telemetry access and a step toward data exfiltration.
Practically, teams should enrich behavioural analytics with resource metadata such as data classification, environment, tenant, API scope, and trust zone. Current guidance suggests combining these signals with policy checks at decision time rather than relying on historical averages alone. That aligns with zero trust thinking in the Ultimate Guide to NHIs — Key Challenges and Risks and with identity assurance principles in NIST Cybersecurity Framework 2.0. In stronger implementations, the baseline is not a single score but a set of thresholds that vary by resource class.
- Label resources by sensitivity before tuning detections.
- Track identity, verb, destination, and time together.
- Treat access to crown-jewel systems as a separate baseline domain.
- Use allowlists cautiously, since static rules can hide drift.
Where available, workload identity and short-lived credentials improve fidelity because the system can tie activity to a specific workload instance rather than a vague account label. These controls tend to break down when resource metadata is incomplete or inconsistent across clouds, because the baseline cannot reliably distinguish one asset class from another.
Common Variations and Edge Cases
Tighter resource-aware baselines often increase operational overhead, requiring organisations to balance detection quality against tagging effort and alert tuning. That tradeoff is real, especially in hybrid estates where asset inventories are incomplete. Best practice is evolving here: there is no universal standard for resource classification depth, but teams usually get better results when they start with the most sensitive systems first.
Edge cases appear when the same identity legitimately accesses multiple resource tiers. For example, a release pipeline may query both development data and production secrets during a controlled deployment window. In those cases, the baseline should be context-aware, not just resource-aware: environment, change ticket, execution window, and workload identity all matter. The NHI Mgmt Group’s breach analysis, 52 NHI Breaches Analysis, is a useful reminder that real incidents often start with access that looked ordinary until the target resource exposed the risk.
Another common failure mode is baselining at the API or tool level while ignoring downstream effects. A read request may be benign in one system and highly sensitive in another because of the data returned, not the endpoint called. Security teams should therefore treat resource context as a first-class input to anomaly detection, not a post-processing filter. The model fails when a platform normalizes access so broadly that high-risk and low-risk resources share the same behavioural profile.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Resource-blind baselines weaken NHI detection and authorization context. |
| OWASP Agentic AI Top 10 | A-03 | Agentic systems need context-aware decisions, not verb-only anomaly checks. |
| NIST AI RMF | AI RMF supports context-rich risk decisions for dynamic automated behaviour. |
Tag sensitive resources and tune NHI detections so access to each class is evaluated separately.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 5, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org