Application control is the enforcement of which software may run on a device and under what conditions. It is a key governance layer because unauthorized or unsafe code can undermine access assurance even when authentication and device enrolment are in place.
Expanded Definition
Application control is the policy layer that decides which binaries, scripts, packages, and interpreters may execute on a system, and whether they may run only in approved contexts. In NHI and agentic environments, this goes beyond blocking unknown software. It is a governance control that helps preserve the trustworthiness of service accounts, automation hosts, build systems, and AI execution environments. Definitions vary across vendors, but the core intent is consistent with allowlisting, reputation-based restrictions, and execution policy enforcement under NIST Cybersecurity Framework 2.0. For NHI security, application control is most valuable when paired with device hardening, least privilege, and secrets hygiene, because approved software can still become a credential theft path if it is not constrained.
At NHI Management Group, application control is best understood as an identity-adjacent safeguard: it limits what code can act on behalf of an identity, not just who can log in. That matters when service accounts, automation agents, and CI/CD runners execute tools with broad access. The most common misapplication is treating endpoint antivirus as a substitute for application control, which occurs when organisations assume malware detection alone can prevent unauthorized execution.
Examples and Use Cases
Implementing application control rigorously often introduces operational friction, requiring organisations to weigh stronger execution governance against the cost of maintaining approved software lists and exception handling.
- Locking down CI/CD runners so only approved build tools, deployment scripts, and signing utilities can execute, reducing the chance that injected code can steal secrets or alter release artifacts.
- Restricting service host machines to a small approved set of agent binaries, which helps prevent a compromised admin session from dropping unauthorised tooling.
- Allowlisting scripts and interpreters on automation servers so job schedulers cannot run arbitrary PowerShell, Python, or shell payloads outside policy.
- Using application control on high-value workloads after reviewing guidance in Ultimate Guide to NHIs — Standards, especially where service accounts and secrets are already present.
- Combining it with environment-specific restrictions in the NIST Cybersecurity Framework 2.0 to ensure only intended software can run on a workstation, jump host, or pipeline node.
In practice, teams often allow exceptions for patching, diagnostics, or vendor utilities, but those exceptions should be time-bound and logged. Application control is most effective when policy owners can explain why each executable is approved, where it may run, and which identity or workflow depends on it. This discipline also helps teams identify when a change request is really an attempt to bypass controls.
Why It Matters in NHI Security
Application control matters because NHI compromises frequently begin with code execution rather than with broken authentication. If attackers can run a script, loader, or remote admin tool on a host that stores tokens, cached credentials, or deployment secrets, they can often move laterally without needing to defeat identity controls directly. That risk is amplified by the NHI reality that 96% of organisations store secrets outside secrets managers in vulnerable locations, according to Ultimate Guide to NHIs — Standards, which makes execution control a practical containment layer when secret sprawl exists.
Application control also supports resilience by narrowing what can operate in privileged automation environments. In NHI governance, it complements NIST Cybersecurity Framework 2.0 outcomes around access control and protective technology, but it must be maintained continuously as software stacks change. It is not just a preventive measure; it is also an evidence source during incident response, helping teams determine whether a process should have been able to run at all. Organisations typically encounter the need for application control only after a malicious or unsanctioned executable is discovered on a host that already had valid credentials, at which point the term becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Execution policy helps reduce NHI abuse through unauthorized tooling and script execution. |
| NIST CSF 2.0 | PR.AC-3 | Application control enforces access constraints on execution, not just logon rights. |
| NIST Zero Trust (SP 800-207) | Zero Trust assumes continuous enforcement, including device and software trust at execution time. |
Treat approved software as a continuously verified condition for access to sensitive NHI systems.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 9, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
