Subscribe to the Non-Human & AI Identity Journal
Home FAQ Architecture & Implementation Patterns What do teams get wrong about defense in…
Architecture & Implementation Patterns

What do teams get wrong about defense in depth?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated June 12, 2026 Domain: Architecture & Implementation Patterns

Teams often mistake multiple controls for coordinated control. In practice, separate layers can still leave gaps between authentication, authorisation, and monitoring, especially when machine identities are involved. The mistake is assuming that adding more barriers automatically fixes identity risk.

Why This Matters for Security Teams

defense in depth is meant to reduce blast radius, not just add more tools. Teams get into trouble when they treat layered controls as proof of resilience without checking whether those layers actually connect at the identity boundary. That gap is especially dangerous for machine identities, where service accounts, API keys, and automation tokens can move faster than review cycles or ticket-based approvals. NHI Mgmt Group notes that 97% of NHIs carry excessive privileges, which turns “multiple layers” into multiple chances for misuse if the same over-permissioned identity is reused across systems in the Ultimate Guide to NHIs. The mistake is not the existence of layers, but the lack of coordinated policy across authentication, authorisation, secret handling, and monitoring. That is consistent with the intent of the NIST Cybersecurity Framework 2.0, which expects functions to work together rather than operate as isolated checkpoints. In practice, many security teams discover weak control chaining only after a compromised token has already crossed several “defensive” layers.

How It Works in Practice

Real defense in depth is a control chain, not a control pile. Each layer should reduce uncertainty for the next one: strong identity proofing, least-privilege authorisation, short-lived secrets, continuous logging, and rapid revocation. For NHIs, that means starting with workload identity rather than long-lived shared secrets. A service should prove what it is at runtime, then receive only the minimum access needed for the task, ideally through ephemeral credentials that expire automatically after use. The Ultimate Guide to NHIs is clear that lifecycle discipline matters as much as perimeter controls: if rotation, offboarding, and visibility are missing, layered security becomes layered exposure.

  • Use distinct identities per workload, environment, and function so compromise does not spread horizontally.
  • Bind authorisation to context, not just role labels, so a token cannot do more than its current task requires.
  • Rotate secrets quickly and revoke them automatically when the workflow ends.
  • Log identity-to-action mapping so monitoring can detect when one layer fails to catch what another allowed.
This aligns with the NIST Cybersecurity Framework 2.0 emphasis on coordinated governance and the operational expectations behind defense-in-depth programs. These controls tend to break down when teams share credentials across pipelines, because a single compromise then inherits every downstream permission that was supposed to be “layered.”

Common Variations and Edge Cases

Tighter defense in depth often increases operational overhead, requiring organisations to balance stronger containment against deployment speed and support burden. That tradeoff becomes visible in environments with high automation, legacy service accounts, or vendor-integrated workflows where every extra approval can break release timing. Current guidance suggests that layered controls are most effective when each layer is independently meaningful; if one layer simply duplicates another, the organisation pays more complexity without reducing risk. This is why teams sometimes overestimate MFA, network segmentation, or vaulting alone while leaving the underlying NHI governance unchanged. The result is a false sense of safety, especially where secrets are embedded in CI/CD systems, shared across third parties, or exempted from rotation to avoid outages. NHI Mgmt Group’s data shows that many organisations still lack full visibility into service accounts, which means they cannot verify whether their “layers” actually cover the identities doing the work. For practitioners, the practical test is simple: if one compromised machine identity can still authenticate, authorise, and persist across multiple systems, the defense-in-depth model is incomplete.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Covers secret rotation and lifecycle gaps that weaken layered defenses.
NIST CSF 2.0PR.AC-4Least-privilege access is central to making defense in depth effective.
NIST AI RMFCoordinated governance is needed when AI or automation expands identity risk.

Enforce short-lived NHI secrets and rotate or revoke them automatically on task completion.

Deepen Your Knowledge

Ultimate Guide to NHIs → NHI Foundation Course → Discussion Forum →
NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on June 12, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.