Database pushdown means the database enforces the access condition directly as part of the query. Post-filtering means the application retrieves records first and then removes unauthorized rows in code. Pushdown is stronger for governance and scale because it keeps unauthorised data out of the application path whenever the policy language and database can express the rule.
Why This Matters for Security Teams
Database pushdown and post-filtering are not just implementation choices, they define where authorization actually happens. Pushdown makes the database part of the policy enforcement path, which reduces the chance that sensitive rows ever reach application memory. Post-filtering, by contrast, depends on the application to fetch first and decide later, which is easier to build but much harder to trust at scale. That difference matters when the workload is driven by service accounts, API keys, or other NHIs that already have broad access paths.
This becomes especially important in environments with weak visibility into non-human access. NHI Mgmt Group’s Ultimate Guide to NHIs — Key Research and Survey Results notes that only 5.7% of organisations have full visibility into their service accounts, which means many teams cannot confidently prove where authorization is enforced. NIST’s NIST Cybersecurity Framework 2.0 reinforces the need to control access close to the asset, not after data has already moved. In practice, many security teams discover row exposure only after overbroad queries or logging gaps have already leaked the data path.
How It Works in Practice
Pushdown works when the authorization logic can be expressed in the database layer, such as row-level security, column filters, tenant predicates, or view-based restrictions. The application submits a query, and the database enforces the rule before returning results. This is stronger than application-side filtering because unauthorized rows never leave the datastore, which reduces exposure in caches, logs, traces, and in-memory objects. For sensitive NHI-driven workloads, that matters because service-to-service calls often chain multiple reads and transforms before a human ever sees the output.
Post-filtering usually appears when the policy is too complex for the database, the schema is not ready, or the product team wants faster delivery. The application fetches a superset of records, evaluates policy in code, then discards unauthorized rows. That can work for low-risk internal data, but it creates a trust gap: the app must correctly fetch, filter, and never accidentally use the unfiltered result. It also makes auditing harder because the policy decision is separated from the data source.
- Use pushdown when the database can express the rule cleanly and consistently.
- Use post-filtering only when the database cannot represent the policy or the data source is read-only.
- Prefer shared policy logic, such as policy-as-code, so app and database decisions do not drift.
- Test for bypass paths, including exports, background jobs, and analytics queries.
For implementation patterns around authorization boundaries and secret exposure, the Ultimate Guide to NHIs — What are Non-Human Identities is a useful baseline. These controls tend to break down when data is assembled across multiple services because the database can enforce only what it can see, not what downstream code later recombines.
Common Variations and Edge Cases
Tighter database enforcement often increases engineering overhead, requiring organisations to balance stronger protection against schema complexity and developer velocity. That tradeoff shows up most clearly in multi-tenant systems, reporting pipelines, and legacy databases that cannot express modern policy logic cleanly. Current guidance suggests using pushdown wherever possible, but there is no universal standard for every database and workload combination yet.
A common edge case is hybrid enforcement: the database applies coarse-grained tenant or role restrictions, while the application applies finer-grained business rules. This can be reasonable if the database layer removes the most sensitive rows first. Another edge case is analytics, where teams intentionally extract broader datasets for aggregation. In those cases, post-filtering may be acceptable only if the exported dataset is separately governed and the original authorization boundary is preserved.
Another practical limitation is explainability. If policy decisions rely on attributes that the database cannot inspect, such as ticket status or workflow context, pushdown may not be feasible without an external authorization service. For broader access-control context, the NIST Cybersecurity Framework 2.0 and NHI Mgmt Group research help frame where control should sit. The MongoBleed breach is a reminder that exposed data paths often persist long after teams believe access has been contained.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Pushdown reduces exposure of overprivileged NHI access paths. |
| NIST CSF 2.0 | PR.AC-4 | Authorization placement affects how access permissions are enforced. |
| NIST AI RMF | Risk governance applies when policy is split between database and code. |
Map database and application controls to a single access-policy model and review it routinely.
Related resources from NHI Mgmt Group
- What is the difference between embedded authorization rules and centralized policy management?
- What is the difference between attack surface management and NHI governance?
- What is the difference between reviewing human access and reviewing NHIs?
- What is the difference between role-based access and API key governance for NHI security?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
