The possibility that two or more actors coordinate to bypass a control that assumes independent behaviour. In SoD programmes, collusion can take the form of shared credentials, reciprocal approvals, or informal process workarounds that defeat the separation the control is meant to enforce.
Expanded Definition
Collusion risk is the chance that a control designed to depend on independent action is defeated because two or more actors coordinate their behavior. In NHI governance, that usually means a separation-of-duties control is weakened by shared credentials, reciprocal approvals, or informal workarounds that let one party cover for another. The risk matters because the control may look effective on paper while the operating reality is coordinated bypass. In practice, collusion risk sits at the intersection of access governance, approval design, and monitoring, and it is closely related to the failure modes described in NIST Cybersecurity Framework 2.0 under access control and oversight expectations. Definitions vary across vendors when this term is applied to humans, NHIs, or AI agents, so the safest use is to treat it as a governance failure mode, not a single product problem.
In NHI environments, collusion risk is often higher where service accounts, API keys, or approval workflows are shared across teams and no single owner can prove independent review. The most common misapplication is assuming that dual approval equals separation of duties when both approvers can be influenced by the same operational pressure or informal process.
Examples and Use Cases
Implementing collusion-resistant controls rigorously often introduces friction, requiring organisations to weigh operational speed against the loss of bypass opportunities.
- A platform team and application owner share a privileged API key “temporarily” to avoid waiting for a proper approval path, which defeats independent accountability.
- Two approvers repeatedly rubber-stamp the same NHI change requests because they report to the same manager and follow an informal team norm rather than an independent review process.
- A CI/CD operator and a developer coordinate to reuse a deployment token across environments, bypassing a control that assumes the issuer and the deployer are separate actors.
- An auditor checks for role separation in a workflow, but the real control failure appears in the exception process where a partner team can override decisions without evidence. That pattern is frequently discussed in the Top 10 NHI Issues and the OWASP NHI Top 10.
- A service account is “owned” by one group, but access requests are approved by a peer group with aligned incentives, making the review function non-independent in practice.
These situations are especially dangerous when the environment lacks immutable logs or when shared secrets make attribution impossible after the fact.
Why It Matters in NHI Security
Collusion risk matters because NHI programmes often rely on controls that assume honest, independent behavior, yet attackers only need one weak link or one cooperative exception to bypass the entire model. When secrets are shared, approvals are informal, or ownership is blurred, the control objective changes from prevention to mere documentation. That is why NHI guidance from Ultimate Guide to NHIs — Key Challenges and Risks emphasizes visibility, rotation, and governance discipline, while Ultimate Guide to NHIs — Why NHI Security Matters Now highlights the scale of exposure. NHIMG research shows that 68% of organisations do not know how to fully address NHI risks, which is exactly the kind of uncertainty that lets collusive workarounds persist. In that environment, collusion risk is not theoretical; it is a structural weakness in the operating model.
Organisations typically encounter the consequences only after an access review, audit finding, or incident response investigation exposes that the control was bypassed by coordinated behavior, at which point collusion risk becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA-5 | Addresses identity proofing and access authorization when independence of actors matters. |
| OWASP Non-Human Identity Top 10 | NHI-07 | Covers over-privilege and governance failures that enable coordinated bypass of controls. |
| NIST Zero Trust (SP 800-207) | SC-7 | Zero Trust limits implicit trust, reducing the impact of coordinated control bypass. |
Design NHI controls so no single team can both request and approve the same privilege path.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
