Data in motion controls fail when organisations assume the network path is trustworthy. Transport encryption protects confidentiality on the wire, but it does not stop compromised endpoints, stolen session tokens, or over-broad workload permissions. Teams need identity verification and session monitoring, not just TLS.
Why This Matters for Security Teams
data in motion controls are often treated as a solved problem once TLS is enabled, but that assumption breaks down the moment an attacker reaches a trusted endpoint, steals a session token, or abuses an over-permissioned workload. The traffic may be encrypted, yet the identity riding inside the session is still exploitable. Guidance from CISA cyber threat advisories consistently shows that adversaries target identity and trust boundaries, not just the wire.
This is why NHI governance matters even in well-defended environments. The real control point is not the transport layer alone, but whether the endpoint, workload, or agent presenting the credential should still be trusted at that moment. NHIMG research on Ultimate Guide to NHIs highlights how quickly exposed credentials become operationally dangerous, which is exactly why encryption without identity assurance leaves a false sense of safety. In practice, many security teams discover this only after a token replay, lateral movement event, or privileged API call has already succeeded.
How It Works in Practice
Effective data-in-motion protection combines transport security with runtime identity checks. TLS still matters for confidentiality and integrity on the wire, but it should be paired with workload identity, short-lived credentials, and policy decisions that evaluate each request in context. For machine-to-machine traffic, that usually means validating the workload or service identity rather than trusting the source network segment.
Practitioners increasingly rely on a layered model: identity proof, session binding, and continuous verification. That can include SPIFFE-style workload identities, OIDC-backed service tokens, mutual TLS where appropriate, and policy engines that inspect the request before allowing access to sensitive services. The operational goal is simple: reduce the value of any captured credential by making it short-lived, scoped, and difficult to reuse outside its intended session.
- Use transport encryption to protect confidentiality, but do not treat it as access control.
- Bind sessions to workload identity so a stolen token is not enough on its own.
- Prefer short TTLs and automated revocation for secrets and service credentials.
- Monitor for unusual request patterns, replay attempts, and lateral movement between services.
Current guidance suggests pairing these controls with policy-as-code and continuous telemetry rather than relying on static allowlists. This is especially important when credentials are embedded in automation, pipelines, or AI-driven services, because compromise often happens outside the network path itself. Recent NHIMG coverage of LLMjacking shows how fast attackers move once they obtain usable non-human credentials. These controls tend to break down when long-lived secrets are reused across many services because one compromised session can be replayed across the environment.
Common Variations and Edge Cases
Tighter session binding often increases operational overhead, requiring organisations to balance stronger assurance against service uptime and developer friction. That tradeoff becomes visible in legacy environments, high-throughput APIs, and systems that cannot easily support mutual authentication or frequent token rotation. Best practice is evolving, and there is no universal standard for every environment.
For internal east-west traffic, some teams over-index on network segmentation and ignore service identity, while others push zero trust too far without considering latency, retry behaviour, or downstream dependency chains. The right answer depends on whether the traffic is human-driven, workload-to-workload, or agentic. For AI agents and automation, static perimeter rules are usually weaker because the agent can chain tools, request new permissions mid-task, and reuse privileges in ways the original design did not anticipate.
NHIMG’s Ultimate Guide to NHIs — Standards is useful when teams need to align transport controls with identity governance rather than treating them as separate programs. The main exception is highly constrained legacy transport where identity assertions are not yet available, in which case compensating controls such as gateway enforcement, narrow allowlists, and aggressive secret rotation become necessary. Even then, encryption alone remains insufficient once the endpoint is compromised.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers secrets exposure and reuse that undermine encrypted sessions. |
| NIST CSF 2.0 | PR.AC-4 | Focuses on access permissions and session trust beyond network encryption. |
| NIST Zero Trust (SP 800-207) | Zero trust requires identity verification and session validation, not trusted networks. |
Replace long-lived secrets with short-lived, scoped NHI credentials and rotate aggressively.
Related resources from NHI Mgmt Group
- Why do backups still fail during cloud outages even when the data is intact?
- Why do traditional access controls fail to protect sensitive data in cloud and AI environments?
- Why do IdP backups fail even when the exported data looks complete?
- Why do secrets create disproportionate risk in NHI environments?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
