Actor type is the governance classification of the identity subject, such as human, non-human, or autonomous. The distinction matters because different actor types create different trust assumptions, lifecycle requirements, and access risks, even when they use similar credentials or access the same systems.
Expanded Definition
Actor type is the governance classification of the identity subject, and in NHI security it determines whether an identity is treated as a person, a workload, or an autonomous software actor. That classification drives the controls that follow, including authentication strength, approval flows, lifecycle ownership, and revocation timing.
The distinction matters because two identities can present similar credentials and reach the same system while carrying very different risk. A human actor type is usually tied to employment, training, and direct accountability. A non-human actor type often maps to service accounts, API keys, workload identities, or certificates. An autonomous actor type introduces execution authority that may change dynamically based on tool use, prompts, or policy. Definitions vary across vendors for autonomous and agentic actors, so governance teams should anchor the classification in observable behavior, not product labels. For broader NHI context, NHI Management Group’s Ultimate Guide to NHIs is a useful reference, and the identity assurance logic aligns conceptually with the NIST Cybersecurity Framework 2.0.
The most common misapplication is classifying every access path by credential type alone, which occurs when teams assume all API-driven access is non-human even when a human is the accountable operator.
Examples and Use Cases
Implementing actor type rigorously often introduces classification overhead, requiring organisations to weigh cleaner governance and stronger policy decisions against the cost of maintaining accurate identity inventory.
- A CI/CD pipeline uses a workload identity to deploy containers, so the actor type is non-human even though a developer triggered the job.
- An AI assistant with tool access reads tickets, creates changes, and calls internal APIs, so governance teams may classify it as autonomous rather than simple non-human.
- A break-glass administrator signs in to approve an emergency access request, which remains a human actor type even if a script later automates the follow-up action.
- A partner integration authenticates with a certificate and scoped API token, requiring treatment as an external non-human actor with separate ownership and revocation rules.
- NHI Management Group’s Ultimate Guide to NHIs highlights why service accounts and API keys need distinct lifecycle controls, while standards-oriented teams often map the same operational question to NIST Cybersecurity Framework 2.0 categories for access and governance.
Why It Matters in NHI Security
Actor type is not a taxonomy exercise. It determines who owns the identity, how trust is established, what evidence is required for approval, and how quickly access should be revoked when the role changes or the system is compromised. When actor types are blurred, organisations often apply human-centric controls to machine identities, or machine-style automation to autonomous agents that can take actions beyond their original scope.
That mismatch is dangerous because NHI risk is already concentrated in identities that are not well governed. NHI Management Group reports that only 5.7% of organisations have full visibility into their service accounts, and 80% of identity breaches involved compromised non-human identities such as service accounts and API keys. The same governance gap can appear in agentic systems, where an autonomous actor inherits privileges faster than security teams can review them. The operational lesson is that actor type must be explicit before access policy, privilege design, or offboarding can be trusted. For the broader NHI problem set, the Ultimate Guide to NHIs and the control objectives in NIST Cybersecurity Framework 2.0 both reinforce the need for clear identity ownership and access governance.
Organisations typically encounter actor type confusion only after a service account leak, an overprivileged automation failure, or an AI agent makes an unauthorised action, at which point the classification becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Actor type drives how non-human identities are classified and governed across their lifecycle. |
| NIST CSF 2.0 | PR.AC-1 | Identity and access control depend on knowing whether the actor is human, machine, or autonomous. |
| OWASP Agentic AI Top 10 | AGENT-02 | Autonomous actors need separate governance because tool use and execution authority expand risk. |
Tie access decisions to explicit actor classification and document the control owner for each identity type.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
