The main failure is that credentials, MFA enrolment, and history become portable across tenants even when the business expects them not to be. That can blur audit trails, complicate offboarding, and make it harder to defend client sovereignty or residency commitments when the same person operates in multiple tenant domains.
Why This Matters for Security Teams
Sharing one user record across tenants looks efficient, but it breaks the separation model that many organisations promise to clients. Once credentials, MFA enrolment, device posture, and sign-in history are all tied to a single identity object, access decisions can become portable across tenant boundaries. That creates risk for audit integrity, offboarding, and data residency obligations, especially where tenant separation is part of a contract or regulatory commitment.
This is not just an identity hygiene issue. It is a governance failure that can blur who accessed what, from where, and under which tenant context. NIST’s NIST Cybersecurity Framework 2.0 emphasises identity governance, access control, and traceability because security depends on being able to distinguish one trust boundary from another. NHI Management Group’s Ultimate Guide to NHIs notes that 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, which is a useful reminder that identity design is part of the control plane, not just an admin convenience.
In practice, many security teams encounter tenant bleed only after an audit, dispute, or offboarding event has already exposed the shared-record design.
How It Works in Practice
The core problem is that a single identity record becomes the anchor for multiple security domains. If the same person is reused across tenants, the system may reuse the same MFA factors, recovery methods, profile attributes, and session history. That means one tenant’s enrolment event can influence another tenant’s assurance posture, even when the business expects isolation. The result is not only weaker authentication, but also weaker evidence for investigations and access reviews.
Security teams usually need to decide whether the user is truly a shared global identity or whether each tenant needs its own distinct account. When separation matters, best practice is to treat each tenant as a separate trust boundary and prevent identity reuse unless there is a documented cross-tenant design with compensating controls. That often means tenant-scoped accounts, tenant-specific MFA, separate session tokens, and clear mapping in logs so that sign-in events remain attributable to one tenant context.
Operationally, this should be paired with role design, offboarding rules, and entitlement review. A useful pattern is:
- Separate authentication from authorisation so one login event does not imply access everywhere.
- Use tenant-specific account objects where client sovereignty or residency is a requirement.
- Keep MFA enrolment, recovery flows, and session tokens scoped to the tenant that issued them.
- Preserve immutable audit trails that show tenant, user, device, and policy decision together.
This matters even more for NHI-adjacent workflows, where a shared operator account may trigger service accounts or API keys in multiple tenant environments. The Ultimate Guide to NHIs highlights how hard it is to maintain visibility and offboarding discipline when identity objects outlive their intended scope, and that lesson applies directly to shared tenant users. Current guidance suggests designing for tenant-local identity by default, then proving when exception handling is safe rather than assuming a global record is harmless. These controls tend to break down in MSP, SaaS, and BPO environments because one operator may legitimately touch many tenants while the platform still needs tenant-isolated evidence and revocation.
Common Variations and Edge Cases
Tighter tenant separation often increases identity administration overhead, requiring organisations to balance clean isolation against operational convenience. The tradeoff is most obvious in support models, managed services, and enterprise federations where a single person legitimately needs access to many customer domains. In those cases, the question is not whether one directory account is easier, but whether it can still prove separation at the level the contract demands.
There is no universal standard for this yet, so practices vary. Some organisations use a master workforce identity plus tenant-local shadow accounts. Others keep one global identity but issue tenant-specific sessions, MFA bindings, and authorisation claims. The safer pattern is whichever preserves tenant-local auditability and avoids portable credentials across environments. Where legal or residency requirements are strict, a shared record can undermine the separation claim even if the technical permissions look correct.
Edge cases also appear during mergers, outsourced operations, and emergency break-glass access. Those exceptions need explicit expiry, logging, and review. As a rule, if the same person can sign into two tenants and inherit assurance from one tenant’s enrolment, the architecture is already relying on trust that the tenant model was meant to prevent.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Shared user records can blur identity scope and tenant boundaries. |
| NIST CSF 2.0 | PR.AC-4 | Access control must preserve separation and traceability between tenants. |
| NIST AI RMF | Identity reuse across tenants weakens governance and accountability for access decisions. |
Define governance for shared identities and require tenant-specific evidence for every access decision.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 12, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
