Monitoring volume alone breaks down because high or low traffic does not tell you whether activity is legitimate, risky, or policy-compliant. You need destination context, source system behaviour, and workload identity to distinguish business communication from exfiltration, probing, or unmanaged AI usage. Without that context, teams either miss threats or overreact to normal operations.
Why This Matters for Security Teams
Traffic volume is a coarse signal. It can show that something is happening, but it cannot show whether the activity is a backup job, a data transfer to an approved service, a compromised workload, or an AI agent calling tools outside policy. Security teams that rely on volume alone lose the context needed for alert triage, segmentation decisions, and breach detection. NHI Management Group’s Ultimate Guide to NHIs — Key Challenges and Risks shows why this matters: only 5.7% of organisations have full visibility into their service accounts.
That visibility gap is critical because network telemetry often captures the symptom, not the identity behind it. Under NIST SP 800-207 Zero Trust Architecture, access decisions should be driven by context, not trust based on location or raw throughput. The same principle applies here: the question is not how much data moved, but who or what moved it, where it went, and whether that movement matched expected behaviour. In practice, many security teams only discover this after an incident has already blended into normal-looking bandwidth patterns.
How It Works in Practice
Effective monitoring starts by enriching traffic with source identity, destination reputation, workload role, process lineage, and policy state. That means linking packets or flow records to a human user, a service account, a container, or an AI agent, then comparing the observed path against allowed behaviours. For NHI-heavy environments, this is where lifecycle discipline matters. The NHI Lifecycle Management Guide is useful because unmanaged keys and service accounts often generate traffic that looks legitimate until the underlying identity has outlived its intended use.
- Baseline normal destinations for each workload, not just average bytes per minute.
- Correlate spikes with authentication events, privilege changes, and secret usage.
- Distinguish approved bulk transfers from unusual east-west movement or external egress.
- Track whether an AI agent or automated process is calling tools it was never granted.
In AI-enabled environments, volume-only monitoring also misses prompt injection outcomes, tool abuse, and data exfiltration through retriever or connector channels. That is why current guidance suggests pairing network telemetry with control-plane logs and application context, rather than treating volume as a stand-alone detector. NHI Management Group’s Top 10 NHI Issues reinforces the operational risk: over-privileged or poorly governed non-human identities can generate traffic that appears routine while still violating policy. These controls tend to break down in encrypted, high-throughput microservice meshes because the network view alone cannot distinguish service-to-service automation from compromised or misrouted identity activity.
Common Variations and Edge Cases
Tighter traffic controls often increase monitoring overhead, requiring organisations to balance detection fidelity against telemetry cost and analyst workload. There is no universal standard for this yet, especially in environments where cloud-native systems, SaaS integrations, and AI agents all share the same egress paths.
One common edge case is legitimate burst traffic from batch analytics, software delivery pipelines, or model training jobs. Another is shared infrastructure where many identities traverse the same network gateways, making volume look abnormal when the real issue is one compromised credential. In regulated environments, current guidance suggests mapping traffic to the owning identity and business purpose before escalating, because false positives become expensive fast. This is also where the NHI perspective adds value: if service accounts, API keys, or agent credentials are not individually governed, volume spikes may be the only visible clue that a control failure has already occurred. The operational lesson is simple: high bandwidth is not evidence of maliciousness, and low bandwidth is not evidence of safety.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | DE.CM | Traffic monitoring is a detection activity, but it needs context to be useful. |
| NIST Zero Trust (SP 800-207) | PA-5 | Zero Trust requires continuous evaluation using contextual signals beyond volume. |
| OWASP Non-Human Identity Top 10 | Non-human identities can generate normal-looking traffic while still being overprivileged or abused. | |
| OWASP Agentic AI Top 10 | AI agents may use tools or connectors in ways volume-only monitoring cannot explain. | |
| NIST AI RMF | MEASURE | AI risk measurement needs behavioural and context signals, not only network metrics. |
Correlate flows with identity and asset context so detection outputs support triage, not just alert counts.
Related resources from NHI Mgmt Group
- When should organisations block anonymous network traffic at login?
- When should organisations treat API traffic as suspicious rather than just high volume?
- When should organisations prioritise privileged access management over network controls in supply chains?
- What breaks when organisations cannot see their non-human identities?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org