AI lets attackers generate many slightly different lures, which makes signature matching brittle. Behavioural baselines matter because they compare the activity to what is normal for the user, relationship, or workflow, then flag deviations even when the exact attack has never been seen before. That gives defenders a stable reference when the adversary can mutate on demand.
Why Behavioural Baselines Matter When Attackers Use AI
AI changes the defender’s problem from spotting a familiar attack pattern to spotting abuse that can be rewritten on demand. Static signatures and simple rules miss that variability, while behavioural baselines still compare activity against expected relationships, timing, and tool use. That matters for NHI security because compromised secrets, service accounts, and agent credentials are often abused in ways that look legitimate at the protocol layer but wrong at the workflow layer. NHIMG’s research on the 52 NHI Breaches Analysis shows how often identity abuse is discovered through anomalous behaviour rather than first-party detection. The same pattern is now visible in AI-enabled intrusion campaigns described by CISA cyber threat advisories.
For practitioners, the core value is not that baselines catch every attack, but that they create a stable reference when the adversary can rapidly vary inputs, timing, and infrastructure. In practice, many security teams encounter baseline drift only after an AI-assisted attacker has already blended into normal automation and moved laterally through trusted identities.
How Behavioural Baselines Work in Practice
A useful baseline is built around normality at the level that matters: user, workload, service account, API token, or AI agent. For NHI and agentic systems, that usually means tracking what the identity actually does, not just whether it authenticated successfully. The best current guidance suggests pairing identity telemetry with runtime context so detection can answer questions like: Is this secret being used from a new geography, at an unusual hour, against a new resource, or in a new sequence of tool calls?
In a mature program, baselines are refreshed from recent trustworthy activity and evaluated continuously, not set once and forgotten. That approach fits findings in NHIMG’s Ultimate Guide to NHIs — Key Challenges and Risks, where identity sprawl and weak visibility make static assumptions unreliable. It also aligns with the threat patterns in the Anthropic — first AI-orchestrated cyber espionage campaign report, which shows how AI can amplify reconnaissance and operational variability.
- Baseline the normal call graph for each service or agent, including upstream and downstream dependencies.
- Flag changes in volume, velocity, sequence, and destination, not only failed logins.
- Score risk higher when new behaviour combines with exposed secrets or unusual privilege use.
- Use baselines as one signal in a broader response path that can revoke, isolate, or reissue access.
This works best when telemetry is rich enough to separate expected automation from attacker mimicry. These controls tend to break down when logging is sparse, identities are shared across many workflows, or a single AI agent legitimately changes behaviour too often to model cleanly.
Where Behavioural Baselines Break Down and What to Do About It
Tighter behavioural detection often increases tuning overhead, requiring organisations to balance sensitivity against alert fatigue. That tradeoff is real in fast-moving environments where CI/CD pipelines, ephemeral workloads, and AI agents legitimately vary their execution paths. Current guidance suggests treating baselines as adaptive guardrails, not hard rules, because there is no universal standard for how much drift is acceptable yet. NHIMG’s LLMjacking: How Attackers Hijack AI Using Compromised NHIs shows why this matters: once an attacker gets a working identity, behavioural abuse can look like ordinary service activity until the pattern is examined holistically.
The main edge case is highly autonomous systems. An AI agent that can choose tools, chain prompts, or change routes based on live context may generate legitimate novelty every day, which weakens simple baselines. In those environments, practitioners should combine behavioural detection with policy checks, workload identity, and just-in-time privilege so anomalous action is denied even before it is classified. The DeepSeek breach is a reminder that exposed data and credentials can accelerate this problem by giving attackers both access and camouflage.
Behavioural baselines matter most when the environment already contains high churn, shared trust, or machine-speed abuse. In those conditions, the baseline should be used to narrow suspicion and trigger containment, not as the sole decision point.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-04 | Behavioural anomaly detection helps spot misuse of non-human identities. |
| OWASP Agentic AI Top 10 | A-05 | Agentic systems need runtime checks because behaviour can mutate during execution. |
| NIST AI RMF | AI RMF addresses monitoring, measurement, and ongoing risk management for AI systems. |
Baseline normal NHI activity and alert on deviation in source, sequence, or resource use.
Related resources from NHI Mgmt Group
- How do behavioural baselines improve detection after onboarding?
- Why do behavioural signals matter more than links in contextual social engineering attacks?
- Why does identity matter more when vulnerabilities are discovered faster than they can be patched?
- How should teams reduce the risk of exposed AI credentials being abused?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 27, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
