Concentration risk

Expanded Definition

Concentration risk is the exposure created when critical operations depend on one ICT provider, one cloud region, one model vendor, or a tightly linked provider chain. In NHI and agentic AI environments, the risk expands when the same model, API, hosting layer, or identity control plane underpins multiple services and becomes difficult to replace quickly. Guidance varies across vendors, but the practical test is simple: if one outage, policy change, or compromise can disrupt many business functions at once, concentration risk is present. For governance teams, this sits alongside supply chain and resilience concerns covered in NIST Cybersecurity Framework 2.0 and the NHI supply chain emphasis in Ultimate Guide to NHIs — Key Challenges and Risks.

The most common misapplication is treating concentration risk as only a procurement concern, which occurs when teams review vendor cost but ignore operational dependency, shared credentials, and recovery time for replacement.

Examples and Use Cases

Implementing concentration risk controls rigorously often introduces resilience cost and integration complexity, requiring organisations to weigh standardisation benefits against reduced optionality and slower failover.

• A single LLM provider powers customer support, internal search, and code assistance, so a pricing change or service disruption affects several workflows at once. That pattern echoes the dependency clusters discussed in OWASP NHI Top 10.
• An organisation uses one IAM broker or secrets platform for every AI agent, and a misconfiguration in that platform can freeze authentications across the estate.
• Multiple business units consume the same model endpoint through one API gateway, so a regional outage or rate-limit event creates simultaneous service degradation.
• A provider chain shares the same upstream identity vault, meaning a compromise or contract termination at one tier can cascade into several downstream systems.
• Teams design a secondary path using a different vendor, but forget to test migration of tokens, prompts, and policy controls, leaving the backup unusable in practice.

As Top 10 NHI Issues shows, the operational danger is rarely the dependency alone; it is the combination of shared access, weak inventory, and slow recovery. For a control baseline, NIST Cybersecurity Framework 2.0 provides a useful structure for mapping dependencies, continuity, and recovery planning.

Why It Matters in NHI Security

Concentration risk becomes a security issue when NHIs, secrets, and agent permissions are concentrated around one control point. If one provider outage or identity compromise affects many service accounts at once, the result is not just downtime. It can also trigger broad credential rotation, emergency access changes, and failed incident containment across connected systems. This matters especially in agentic environments where an AI Agent may hold execution authority across multiple tools, and where MCP integrations or shared hosting can create hidden coupling.

NHI research shows why this deserves governance attention: the Ultimate Guide to NHIs — Why NHI Security Matters Now notes that NHIs are widely overprivileged, and the same overprivilege becomes more dangerous when concentrated in one provider stack. The 2024 ESG Report: Managing Non-Human Identities found that 72% of organisations have experienced or suspect a breach of NHIs, which underscores how fast one weak link can spread impact across a shared dependency chain.

Organisations typically encounter concentration risk only after a major outage, provider compromise, or emergency migration, at which point the dependency becomes operationally unavoidable to address.

Related resources from NHI Mgmt Group

• Why is DevOps such a significant source of NHI risk?
• What is the biggest long-term risk of unmanaged NHIs multiplying at exponential rates?
• What is secrets sprawl and why does it create security risk?
• What is credential injection risk and how does it occur?