Authority Source

Expanded Definition

Authority source is the governance anchor for an agent or automated workflow: the human, team, or system that grants the agent permission to act, sets the boundaries of acceptable privilege, and remains accountable for outcomes. In NHI security, this concept sits above authentication. An agent may prove its identity, but that proof alone does not say whose mandate it is executing.

That distinction matters because authority source determines what the agent is allowed to do in production, which approvals are required for new access, and how revocation should work when the business relationship changes. It also clarifies whether the acting entity is covered by a person, a service owner, a delegated system, or an approval chain. Guidance across vendors is still evolving, but the governance pattern is consistent with NIST Cybersecurity Framework 2.0: identity and access decisions should be mapped to accountable ownership, not treated as a purely technical login event. The most common misapplication is assuming the agent itself is the authority source, which occurs when teams confuse credential possession with delegated business authority.

Examples and Use Cases

Implementing authority source rigorously often introduces approval overhead, requiring organisations to weigh operational speed against tighter accountability and reduced privilege drift.

• A customer-support AI agent sends refund approvals only when its authority source is the finance operations team, not the model service account.
• An infrastructure bot rotates certificates under the authority source of the platform engineering team, with changes reviewed through a controlled workflow tied to service ownership.
• An internal coding agent deploys to staging because the authority source is the application squad, but production changes require a separate approver and narrower scope.
• Delegated actions are documented so that when an agent invokes credentials, the owning team can trace which business mandate justified the request, similar to the operational boundaries discussed in the Ultimate Guide to NHIs.
• After a compromise, investigators use the authority source to determine whether the agent acted under valid delegation or exceeded its intended mandate, which is particularly important in patterns seen in the ASP.NET machine keys RCE attack.

Why It Matters in NHI Security

Authority source is what turns an agent from an authenticated actor into a governed actor. Without it, teams can create service accounts, API keys, or autonomous agents that technically work but have no clear business owner, no approved scope, and no reliable revocation path. That gap is where excessive privilege, shadow automation, and orphaned access accumulate. NHI Mgmt Group research shows that 97% of NHIs carry excessive privileges and only 5.7% of organisations have full visibility into their service accounts, which means authority decisions are often made without complete operational context.

This is why authority source should be recorded with the same seriousness as the credential itself. It supports least privilege, delegation review, emergency access decisions, and offboarding when the original mandate ends. It also helps align agent governance with broader identity controls in the NIST Cybersecurity Framework 2.0 and the lifecycle guidance in the Ultimate Guide to NHIs. Organisations typically encounter the need to define authority source only after an agent has overreached, at which point revocation, attribution, and containment become operationally unavoidable to address.

Related resources from NHI Mgmt Group

• Why is DevOps such a significant source of NHI risk?
• Why is hardcoding credentials into source code so dangerous?
• What is the difference between source control leakage and SharePoint secret exposure?
• What is the difference between identity governance and authority governance?