They matter because identity, cloud, endpoint, and workload telemetry rarely share the same shape or investigative value. A schema-less core preserves source richness and reduces the risk that early normalisation strips away fields needed for correlation, access analysis, or threat detection.
Why This Matters for Security Teams
Schema-less architecture matters because identity and security telemetry are not just high volume, they are structurally uneven. A service account event, a cloud audit log, a CASB record, and an endpoint alert may each expose different fields, nested objects, and vendor-specific metadata. If a platform forces early normalisation, investigators can lose the source detail needed to reconstruct privilege use, correlate access paths, or spot stealthy misuse across systems.
This is especially important in NHI programs, where the real risk often sits in the hidden fields: token audience, scope, expiry, issuer, client app, workload lineage, and permission drift. NHI Mgmt Group’s Ultimate Guide to NHIs notes that only 5.7% of organisations have full visibility into their service accounts, which shows how often critical identity context is lost before it is analysed. That visibility gap becomes worse when pipelines flatten data too soon.
The security issue is not storage format alone. It is whether the platform preserves investigative fidelity long enough for detections, access reviews, and incident response to use the original evidence. In practice, many security teams discover the cost of premature schema decisions only after an incident has already removed the one field that would have explained it.
How It Works in Practice
In a schema-less design, the ingestion layer stores events in their native or near-native shape, then adds structure gradually through indexing, enrichment, and query-time interpretation. That lets teams keep raw identity and security records intact while still making them searchable. The result is better support for heterogeneous sources such as IdP logs, API gateway events, cloud control plane telemetry, endpoint activity, and workload identity records.
For identity-centric use cases, this approach is valuable because the same actor can appear under different shapes in different systems. One log may show a user, another a service principal, another a short-lived token, and another a workload identity. Preserving that variation makes it easier to correlate access chains without forcing all records into a single brittle template. The Ultimate Guide to NHIs and the State of Non-Human Identity Security both point to the same operational reality: visibility is often the limiting factor, not the absence of data.
- Keep raw source fields intact so investigators can inspect original claims, scopes, timestamps, and issuer data.
- Apply lightweight metadata at ingest, such as source type, tenant, environment, and trust zone.
- Use query-time enrichment to map different identity objects into common investigative views.
- Store normalization rules as reversible logic where possible, not as destructive transformations.
Current guidance from frameworks such as the NIST Cybersecurity Framework 2.0 supports preserving data quality for detection and response, while implementation patterns from SPIFFE reinforce the value of workload identity context that remains machine-readable across systems. These controls tend to break down when teams force all telemetry into one schema before they know which fields matter for correlation across identity providers, cloud control planes, and application logs.
Common Variations and Edge Cases
Tighter normalization often increases operational simplicity, requiring organisations to balance search consistency against forensic fidelity. That tradeoff becomes visible when compliance teams want standard fields for reporting but incident responders need the original payload to understand what actually happened.
Best practice is evolving here. There is no universal standard for how much structure should be imposed at ingest versus at query time, especially in mixed environments with SaaS logs, cloud-native telemetry, and legacy identity systems. In regulated environments, some teams introduce a dual-path model: raw data is retained for investigation, while curated views are built for reporting and routine monitoring.
Edge cases matter most when vendors emit deeply nested JSON, when identity fields differ by tenant or region, or when a platform must retain evidence for legal hold and chain-of-custody purposes. Schema-less does not mean structure-free; it means structure should be flexible and additive. That is particularly useful for NHI sources where service account attributes, token claims, and machine identity metadata change across tools and across time. For deeper NHI context, NHI Mgmt Group’s Top 10 NHI Issues is a practical companion reference.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Schema retention supports preserving NHI context for investigation and correlation. |
| NIST CSF 2.0 | DE.CM-1 | Continuous monitoring depends on retaining source telemetry detail. |
| NIST AI RMF | GOV-2 | Risk governance needs traceable data provenance and context. |
Define data lineage and retention rules before normalizing identity and security records.
Related resources from NHI Mgmt Group
- How should banks strengthen Active Directory security without moving to cloud identity?
- Which identity controls matter most when third-party access reaches production systems?
- How should security teams decide whether JIT access is safe for non-human identities?
- What is the difference between code scanning and runtime identity monitoring?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org