An identity provider establishes and brokers identity, often through login, federation, and token issuance. A policy engine decides whether a request should be allowed after identity is known. Teams need both when they want strong authentication and precise authorization, because one does not replace the other.
Why This Matters for Security Teams
An identity provider and a policy engine solve different problems, but teams often blur them when they are trying to govern service accounts, API keys, and agent access at scale. An identity provider proves who or what is authentic and issues tokens or assertions. A policy engine decides whether a specific action should proceed after identity has been established. That distinction matters because authentication without authorization still leaves over-permissioned workloads exposed.
The gap is easy to see in NHI programs, where long-lived credentials and excess privilege are common. NHIMG notes that 97% of NHIs carry excessive privileges in its Ultimate Guide to NHIs, which is why identity issuance alone cannot be treated as a complete control. NIST CSF 2.0 reinforces the same operational logic: identity assurance, access enforcement, and continuous oversight are separate functions, not one control surface. In practice, many security teams encounter policy failures only after a valid identity has already been used in ways no one intended.
How It Works in Practice
Think of the identity provider as the system that establishes trust in the requester, and the policy engine as the system that interprets the request in context. The identity provider commonly handles federation, login, token issuance, certificate brokerage, and claims about the subject. The policy engine evaluates whether the subject may perform a specific action on a specific resource under specific conditions.
That separation is especially important for non-human identities, where access patterns are machine-driven and often ephemeral. A workload identity provider may issue a short-lived token to a CI job, while a policy engine decides whether that token can read secrets, deploy code, or call production APIs at that moment. The decision can incorporate attributes such as environment, time, resource sensitivity, approval state, or whether the request is part of a just-in-time workflow. This is why modern guidance increasingly pairs identity with policy-as-code rather than relying on static role assignment alone.
- Identity provider: establishes the subject and issues cryptographic proof of identity.
- Policy engine: evaluates the request against rules, attributes, or context before access is granted.
- Token lifetime: limits the window in which a valid identity can be reused if compromised.
- Continuous evaluation: reduces reliance on one-time login or static role mapping.
For NHI governance, the practical takeaway is that login is not authorization. A service account or API client may authenticate successfully and still be denied access by policy. That pattern aligns with the lifecycle and least-privilege guidance in NHIMG’s Lifecycle Processes for Managing NHIs and with NIST’s emphasis on continuously managing access decisions through the NIST Cybersecurity Framework 2.0.
These controls tend to break down when organisations rely on embedded secrets in CI/CD pipelines because the identity layer becomes indistinguishable from the credential store and policy decisions are bypassed entirely.
Common Variations and Edge Cases
Tighter policy enforcement often increases operational overhead, requiring organisations to balance speed against governance, especially when developers expect frictionless deployment. There is no universal standard for how much logic belongs in the identity provider versus the policy engine, so implementation patterns vary by environment.
Some platforms collapse both functions into one product, but that does not remove the conceptual split. Even when a single vendor provides federation and authorization, the underlying controls still need to be separated in design and audit. Best practice is evolving toward runtime policy evaluation, short-lived credentials, and workload identity backed by cryptographic proof rather than standing privileges. That is especially relevant when agents or automation chains can request access in unpredictable sequences.
For mature programmes, the identity provider should answer, “Who or what is this?” while the policy engine answers, “Should this action be allowed right now?” NHIMG’s breach and governance research, including the 52 NHI Breaches Analysis and the Top 10 NHI Issues, shows how often failures occur when those questions are treated as interchangeable.
In mixed human and machine environments, the edge case is not whether identity exists, but whether policy can still make a correct decision when the subject is a service, workload, or autonomous agent.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC | Separates identity assurance from access enforcement and continuous authorization. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Short-lived secrets and rotation reduce risk when identity is valid but overused. |
| NIST AI RMF | GOVERN | Autonomous systems need clear accountability for identity and policy decisions. |
Assign ownership for who issues identity and who approves runtime access decisions.
Related resources from NHI Mgmt Group
- What is the difference between certificate lifecycle management and workload identity?
- What is the difference between federation and runtime enforcement in workload identity?
- How should teams decide between Authentik and Keycloak for self-hosted identity?
- How should security teams handle JWT verification changes in a policy engine?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
