Request-scoped caching lives only for one HTTP request and cannot leak across users or sessions. A shared application cache persists longer, which can improve reuse but raises correctness and isolation risks when the underlying data changes. For identity-adjacent data, request scope is the safer default.
Why This Matters for Security Teams
Request-scoped caching and a shared application cache solve different problems, but identity-adjacent data makes the distinction security-critical. Request scope is isolated to one transaction, which reduces cross-user contamination and avoids stale authorisation decisions. A shared cache can improve performance, but it also expands the blast radius if cached permissions, tokens, or account state outlive the conditions that created them. That is why NHI Management Group highlights that 97% of NHIs carry excessive privileges in the Ultimate Guide to NHIs — Key Challenges and Risks.
For security teams, the main question is not speed versus cleanliness, but whether cached data can change a decision after the underlying identity, secret, or policy has changed. The OWASP Non-Human Identity Top 10 treats stale credentials and over-retained identity data as recurring failure modes because they are easy to miss during normal development. Shared caches are not inherently unsafe, but they require explicit invalidation, tight key design, and clear scoping rules. In practice, many security teams discover cache-related identity exposure only after a permission change, token revocation, or tenant crossover has already occurred, rather than through intentional testing.
How It Works in Practice
Request-scoped caching exists only for the lifetime of a single request. A handler, middleware layer, or framework service stores values in memory for reuse during that one execution path, then discards them when the response completes. That makes it well suited for repeated lookups inside a request, such as resolving the same user profile, permission set, or policy input more than once without re-querying the backend.
A shared application cache persists across requests, sessions, and often users. It is useful when many requests need the same stable data, but the security model changes because the cache now becomes a shared trust boundary. If the cached object is identity-sensitive, the cache key must encode the dimensions that matter, such as user, tenant, role, environment, and version. Otherwise one request can accidentally consume another request’s data.
- Use request scope for ephemeral identity checks, per-request enrichment, and derived authorisation decisions.
- Use shared cache only for data that is safe to reuse across callers and still correct if the underlying source changes.
- Invalidate shared cache entries on role changes, secret rotation, offboarding, or policy updates.
- Keep sensitive values out of shared cache unless the design includes strong isolation and short TTLs.
For NHI-heavy systems, cache design should align with lifecycle controls described in Ultimate Guide to NHIs — What are Non-Human Identities, because API keys, service accounts, and tokens can change independently of application uptime. Standards guidance from OWASP Non-Human Identity Top 10 also supports minimizing the lifetime and spread of reusable identity material. These controls tend to break down when shared caches are used for tenant-specific permissions in multi-tenant services because one stale entry can persist long enough to serve the wrong principal.
Common Variations and Edge Cases
Tighter cache isolation often increases latency and backend load, so teams have to balance performance against correctness and blast radius. That tradeoff becomes sharper when the cached object is not just data, but an identity decision or secret-adjacent artifact.
Best practice is evolving for distributed systems. Some platforms use per-request memoisation plus a small shared cache for non-sensitive reference data, while others rely on event-driven invalidation or versioned cache keys. In high-change environments, shared caches can be correct only if the application can reliably detect change events and remove stale entries quickly. There is no universal standard for this yet; current guidance suggests treating identity, privilege, and secret material as short-lived by default.
Common edge cases include background jobs, async workers, and federated services. A request-scoped pattern may not exist in those flows, so teams often simulate a unit of work boundary instead. Likewise, caches that are safe for public product metadata are usually not safe for auth context, entitlement data, or NHI credentials. If a cache entry can affect who may act, not just what can be displayed, it needs stricter review than ordinary application state.
Security teams that follow the cache distinction consistently tend to prevent access drift before it reaches production, because they design for revocation and isolation first rather than retrofitting it after a stale decision has already been reused.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Cached secrets and credentials need short lifetimes and fast revocation. |
| NIST CSF 2.0 | PR.AC-4 | Shared caches can widen access paths if identity context is not isolated. |
| NIST AI RMF | AI systems and automated decisioning need reliable context and freshness. |
Scope cached identity data to the right principal and review access paths for cross-user leakage.
Related resources from NHI Mgmt Group
- What is the difference between privilege reduction and secret rotation?
- What is the difference between a rules-based secret scanner and a hybrid scanner?
- What is the difference between code scanning and runtime identity monitoring?
- What is the difference between zero trust for users and zero trust for NHIs?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
