Encryption protects data by making it unreadable without the correct key, while tokenisation replaces the sensitive value with a non-sensitive substitute that can be used operationally. Tokenisation reduces exposure in workflows and reports, while encryption protects the stored value. Many mature privacy designs use both, but they solve different problems.
Why This Matters for Security Teams
Tokenisation and encryption are often discussed together, but they solve different exposure problems. Encryption is strongest when the goal is to protect data at rest or in transit while preserving recoverability with a key. Tokenisation is stronger when the goal is to keep PII out of operational workflows, logs, analytics, and downstream systems that do not need the original value. That distinction matters because many breaches begin with overexposed secrets and identifiers, not broken cryptography.
NHIMG research shows how quickly sensitive material escapes its intended boundary. In the Guide to the Secret Sprawl Challenge, credential leakage is framed as a lifecycle problem rather than a pure storage problem, and the 2025 State of NHIs and Secrets in Cybersecurity reports that 44% of NHI tokens are exposed in the wild. In practice, many security teams discover the gap only after PII has already been copied into systems that encryption never protected in the first place.
How It Works in Practice
Encryption keeps the original PII intact but unreadable without a key. It is appropriate when a system must store, transmit, or later decrypt the value for legitimate processing. Tokenisation replaces the original value with a surrogate token and stores the mapping in a controlled vault or token service. The token can be used in application flows, reports, or integrations, while the real identifier stays isolated.
That practical difference changes how teams design controls. Encryption is usually managed with key governance, algorithm selection, rotation, and access controls around decryption rights. Tokenisation is usually managed with lookup restrictions, format preservation where needed, detokenisation approval, and strict separation between the token vault and business applications. A mature design often uses both: encryption for the underlying protected store and tokenisation for reducing the blast radius of everyday processing.
For teams aligning to current guidance, the NIST Cybersecurity Framework 2.0 is useful for mapping both methods into broader protect and govern activities. Tokenisation is especially useful where PII appears in customer support tools, analytics pipelines, or cross-system workflows that should never see live identifiers. That is why breach writeups such as the Salesloft OAuth token breach matter: once a usable token is exposed, downstream access can be far more damaging than leakage of an encrypted value that remains unreadable.
- Use encryption when the application still needs the original PII later and decryption can be tightly controlled.
- Use tokenisation when most consumers only need a stable surrogate, not the real identifier.
- Protect the token vault and mapping table as high-value assets.
- Define where detokenisation is allowed, by whom, and under what approvals.
These controls tend to break down when legacy applications require the original format everywhere because token services cannot substitute without redesign.
Common Variations and Edge Cases
Tighter tokenisation often increases operational overhead, requiring organisations to balance reduced PII exposure against integration complexity and lookup latency. That tradeoff is real, especially in environments with many downstream systems, batch jobs, and shared data models. Current guidance suggests treating tokenisation as a data minimisation control, not a universal replacement for encryption.
There is no universal standard for when format-preserving encryption should be preferred over tokenisation. Some environments need a reversible value that still fits fixed-length fields, while others need a non-sensitive surrogate that is safe to expose in logs or customer service tooling. The right choice depends on whether the system needs recoverability, interoperability, or both. If a report only needs record correlation, tokenisation is often better. If a backend service must recover the original PII securely, encryption may be necessary.
Edge cases also arise in distributed architectures. Tokenisation can fail if the mapping service becomes a bottleneck or if applications cache detokenised values longer than intended. Encryption can fail operationally if keys are overexposed or if too many systems are given decryption rights. The Dropbox Sign breach illustrates why long-lived access paths and exposed credentials often matter more than the cryptographic primitive itself. Best practice is evolving, but the core rule remains simple: encrypt data you must retain, tokenise data you do not want to spread.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Addresses exposed tokens and secrets that tokenisation aims to reduce. |
| NIST CSF 2.0 | PR.DS | Data security controls cover encryption, token handling, and protected storage. |
| NIST AI RMF | AI RMF helps govern how protected data is used across automated workflows. |
Inventory sensitive values, replace reusable PII with surrogates, and revoke exposed tokens quickly.
Related resources from NHI Mgmt Group
- What is the difference between attack surface management and NHI governance?
- What is the difference between reviewing human access and reviewing NHIs?
- What is the difference between role-based access and API key governance for NHI security?
- What is the difference between human IAM controls and NHI governance?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 12, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
