Subscribe to the Non-Human & AI Identity Journal
Home FAQ Governance, Ownership & Risk What do security teams get wrong about data…
Governance, Ownership & Risk

What do security teams get wrong about data ingestion costs and visibility?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 8, 2026 Domain: Governance, Ownership & Risk

Teams often treat ingestion cost as a technical limit rather than a security decision. When they drop data sources to save money, they create blind spots in the very systems that should expose identity misuse. The better approach is to filter and enrich data before ingestion so visibility is preserved.

Why This Matters for Security Teams

Data ingestion is not just a telemetry budget problem. For NHI-heavy environments, every source that is excluded, downsampled, or dropped can hide the evidence needed to detect token abuse, OAuth misuse, and over-privileged service accounts. That makes ingestion design part of identity security, not a back-office optimization exercise. The Top 10 NHI Issues calls out visibility gaps as a recurring failure mode, and the NIST Cybersecurity Framework 2.0 reinforces that detection depends on collecting the right evidence, not simply collecting less of it.

Security teams often underestimate how much identity abuse is only visible in “expensive” logs: auth events, API gateway records, cloud control plane data, and SaaS audit trails. When cost pressure drives blanket suppression, the organisation may still retain volume but lose context, which is worse than having no data at all. Current guidance suggests treating ingestion as a selective control plane, with filtering, enrichment, and prioritisation happening before data reaches long-term storage. In practice, many security teams discover the cost of missing telemetry only after an identity compromise has already spread through multiple systems.

How It Works in Practice

The operational goal is to preserve security signal while reducing waste. That usually means classifying sources by investigative value, then applying policy before ingestion so only the right events flow downstream. High-value identity telemetry should generally include authentication events, token issuance, privilege changes, consent grants, API key creation, and admin activity. Lower-value noise can often be sampled, summarised, or routed to cheaper storage tiers, but that decision should be explicit and risk-based.

A practical pattern is to enrich at the edge or in the collection pipeline. For example, attach asset ownership, workload identity, environment, and tenant context before events are indexed. That makes later correlation much easier, especially for NHI workflows described in the NHI Lifecycle Management Guide. The point is not to ingest everything forever; it is to make sure the right evidence survives the first filter.

  • Prioritise logs tied to identity creation, delegation, authentication, and privilege escalation.
  • Use pre-ingestion filtering rules to drop known-noise events, not investigative records.
  • Enrich events with identity, workload, and ownership metadata before they are stored.
  • Define retention by data class and incident value, not by one generic cost target.
  • Test whether detections still work after any source reduction or sampling change.

Where teams go wrong is assuming observability tools can compensate later. If the telemetry never enters the pipeline, detection rules, hunting queries, and retrospective investigations cannot reconstruct what happened. The Ultimate Guide to NHIs — Key Research and Survey Results shows how common NHI visibility gaps already are, which makes selective ingestion even riskier when identity telemetry is under-collected. These controls tend to break down in cloud and SaaS-heavy environments where logs are fragmented across providers and ingestion decisions are made independently by each platform.

Common Variations and Edge Cases

Tighter ingestion control often reduces storage and licensing costs, but it also increases the burden on detection engineering, data classification, and pipeline governance. Security teams need to balance cost reduction against the risk of losing the exact signals that expose NHI abuse. Best practice is evolving here, and there is no universal standard for which identity events must always be retained, because the answer depends on architecture, threat model, and regulatory obligations.

Edge cases matter. A small set of high-risk sources can justify near-full ingestion, such as privileged cloud audit logs, federation events, CI/CD secrets access, and third-party OAuth consent data. In contrast, bulk application logs may be better summarised if they add little identity value. One useful benchmark from Ultimate Guide to NHIs — Key Challenges and Risks is that visibility failures frequently appear alongside weak governance, not just tool misconfiguration. Teams should also align ingestion policy with the NIST Cybersecurity Framework 2.0 so that cost controls do not undermine detection or response. The tradeoff is simple: lower spend can buy less evidence, and less evidence can make the most important identity incidents invisible.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-05Telemetry gaps hide NHI misuse and hinder detection.
NIST CSF 2.0DE.CM-01Continuous monitoring depends on the right telemetry being collected.
NIST CSF 2.0DE.AE-02Anomalies are missed when identity context is stripped out.

Define ingestion rules around detection needs, then verify monitoring still works after any data reduction.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org