Subscribe to the Non-Human & AI Identity Journal
Home FAQ When should organisations choose an enclave instead of…

When should organisations choose an enclave instead of migrating the whole tenant?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 10, 2026

An enclave is usually the better option when only a subset of users or systems handles CUI, especially if the rest of the organisation can stay on commercial services. It narrows the identity boundary, reduces privileged-access sprawl, and lowers the documentation burden. That makes assessment easier without overbuilding the environment.

Why This Matters for Security Teams

An enclave is not just a cheaper way to avoid a full tenant move. It is a boundary decision about where regulated data, privileged access, and identity control need to be isolated. For teams handling CUI alongside normal business workloads, the practical question is whether the whole organisation needs the same security and compliance treatment, or whether a smaller controlled zone can absorb the stricter requirements without disrupting everything else. That distinction matters because over-migration often creates unnecessary operational drag, while under-scoping can leave sensitive access too widely distributed. This is especially relevant when non-human identities are involved. NHIMG notes that NHIs outnumber human identities by 25x to 50x in modern enterprises in its Ultimate Guide to NHIs, which means enclave design can quickly become an identity governance problem, not just a hosting choice. Security teams should think in terms of least privilege, segmentation, and evidence collection rather than platform preference. Current guidance from the NIST Cybersecurity Framework 2.0 supports this posture-based approach. In practice, many security teams discover the need for an enclave only after access sprawl, documentation gaps, or assessment delays have already made a full tenant migration impractical.

How It Works in Practice

In practice, organisations choose an enclave when the regulated workload can be isolated by identity, network, and data handling rules while the broader tenant remains on commercial services. That usually means creating a separate boundary for a defined set of users, applications, service accounts, and data flows, then applying stricter logging, access review, and retention controls to only that slice of the environment. The operational advantage is that the enclave can be designed around the actual compliance scope. If only a small team touches CUI, the enclave holds the identities, endpoints, APIs, and storage used by that team. Everything else stays outside the higher-assurance boundary. That can reduce privileged access management complexity and limit the number of secrets that need hardened storage, rotation, and review. It also makes it easier to prove which systems are in scope during assessment, which is often the real bottleneck. NHIMG’s Ultimate Guide to NHIs highlights how often secrets and service accounts are mismanaged, which is exactly why enclave scoping should include non-human identities from day one. A practical implementation usually includes:
  • Separate identity policies for enclave users and service accounts.
  • Restricted administrative access with clear approval and logging.
  • Dedicated data classification rules for CUI or similarly sensitive content.
  • Monitoring and evidence collection aligned to the enclave boundary.
  • Explicit ingress and egress controls so regulated data does not drift into general-purpose systems.
The best-fit use case is a mixed environment where only some workflows need elevated controls, not an enterprise-wide rebuild. These controls tend to break down when regulated workflows are deeply embedded across shared SaaS tenants, because identity boundaries and data paths cannot be cleanly separated without major redesign.

Common Variations and Edge Cases

Tighter enclave scoping often increases operational overhead, requiring organisations to balance compliance simplicity against duplicated administration and user friction. That tradeoff is usually acceptable for bounded CUI workloads, but it becomes harder when the same people need frequent access to both regulated and unregulated systems. There is no universal standard for when an enclave is mandatory versus merely sensible, so current guidance suggests basing the decision on scope, identity complexity, and evidence burden. If the regulated population is small, an enclave can be the faster and safer route. If the regulated data is everywhere, a tenant-wide migration may be cleaner than maintaining constant cross-boundary exceptions. The main edge cases are hybrid identities and shared automation. Service accounts, API keys, and agentic workflows often cross the boundary even when humans do not, so enclave design must include machine identities, not just employee accounts. That is where identity governance intersects directly with the enclave decision. Teams should also be cautious when third-party integrations or remote support tools need access into the enclave, because those pathways can quietly recreate the same privileged-access sprawl the enclave was meant to reduce. For broader security programme alignment, the enclave should still map to baseline control expectations in NIST Cybersecurity Framework 2.0, but the internal decision is really about containment, auditability, and how much of the tenant must be pulled into the regulated trust boundary.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 provides the primary governance reference for this topic.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Enclaves rely on least-privilege access and controlled identity boundaries.

Limit enclave access to approved identities and review entitlements regularly.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org