Fleet querying answers targeted investigative questions across many systems at a point in time, while continuous detection watches for suspicious activity as it happens. They serve different jobs. Organisations usually need both: detection to raise suspicion, and fleet querying to confirm scope, gather context, and support containment decisions.
Why This Matters for Security Teams
Fleet querying and continuous detection solve different operational problems, and teams that blur them usually end up with gaps in either speed or certainty. Continuous detection is built to notice suspicious behaviour as it unfolds, while fleet querying is built to answer focused questions across a population of systems after an alert, incident, or audit trigger. That distinction matters for NHI environments because service accounts, API keys, and other non-human identities can move quietly across many workloads before a human analyst sees the pattern.
The problem is amplified by the scale and exposure of NHI estates. NHI Mgmt Group notes that NHIs outnumber human identities by 25x to 50x in modern enterprises, and the Ultimate Guide to NHIs — What are Non-Human Identities shows how quickly that volume creates visibility blind spots. In practice, fleet querying helps establish whether an alert is isolated or widespread, while detection helps surface the alert in the first place. The NIST Cybersecurity Framework 2.0 reinforces this split by treating monitoring and incident response as complementary functions, not substitutes. In practice, many security teams encounter the difference only after a token has already been reused across multiple systems, rather than through intentional investigation design.
How It Works in Practice
Continuous detection is event-driven. It watches logs, telemetry, identity signals, network activity, and workload behaviour for indicators such as unusual token use, abnormal geolocation, impossible travel, privilege escalation, or a secret being used from an unexpected workload. Its job is to shorten time to alert. Fleet querying is question-driven. It runs the same or similar checks across many assets at a point in time, usually to answer: where is this secret deployed, which service accounts still use it, what systems were touched, and what is the blast radius?
For NHI operations, that usually means combining telemetry with inventory. A mature workflow often looks like this:
- Detection flags suspicious activity on one identity or workload.
- Fleet querying checks where that identity, token, certificate, or key exists elsewhere.
- Analysts correlate results with lifecycle data, ownership, and rotation status from the NHI Lifecycle Management Guide.
- Containment decisions are made faster because scope is known, not assumed.
This model aligns with the investigative guidance in the Top 10 NHI Issues, especially where excessive privilege, weak rotation, or poor visibility turn a single secret into an enterprise-wide exposure. NIST CSF 2.0 supports this operational pairing by emphasizing both continuous monitoring and response coordination. Fleet querying becomes especially valuable when responders need to determine whether one compromise is actually many, or whether a dormant credential has already propagated through CI/CD, scripts, and runtime configs. These controls tend to break down when telemetry is fragmented across cloud, SaaS, and on-prem systems because investigators cannot reliably join identity events to asset state.
Common Variations and Edge Cases
Tighter detection coverage often increases alert volume and engineering overhead, requiring organisations to balance early warning against investigation fatigue. That tradeoff becomes obvious in environments with ephemeral workloads, federated identities, or highly dynamic secrets distribution, where continuous detection alone may not preserve enough context to answer containment questions and fleet querying alone may miss the first sign of abuse.
There is no universal standard for this yet, but current guidance suggests treating fleet querying as the verification layer and continuous detection as the alerting layer. Some teams also use fleet queries proactively during hygiene campaigns, for example to find stale service accounts, secrets outside vaults, or certificates nearing expiry. The Ultimate Guide to NHIs notes that visibility and rotation gaps are common, so query-based discovery is often the only practical way to measure exposure before an incident forces the issue. The key edge case is when assets are so short-lived that by the time a query runs, the workload has already terminated and the evidence has disappeared. In those environments, teams need stronger event capture at the source, not just better search after the fact.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Fleet querying and detection both depend on knowing where NHIs exist. |
| NIST CSF 2.0 | DE.CM-01 | Continuous detection is a core monitoring capability in CSF. |
| NIST AI RMF | Agentic or automated workloads need monitoring and contextual oversight. |
Instrument identity and workload telemetry so suspicious activity is detected in near real time.
Related resources from NHI Mgmt Group
- What is the difference between prompt injection risk and identity abuse in agents?
- What is the difference between SAST and DAST for security teams?
- What are effective practices for operationalizing NHI threat detection?
- What is the difference between vulnerability scanning and continuous exposure management?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 12, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
