Granular recovery is the ability to restore specific identity objects or attributes without rebuilding an entire directory. For hybrid identity, that includes preserving relationships such as group membership, policy links, and application bindings so restored access behaves correctly after an outage or deletion.
Expanded Definition
Granular recovery is the capability to restore a specific identity object, attribute, or relationship without rebuilding the entire directory or tenancy. In NHI operations, that means recovering a service account, key binding, group membership, policy link, or application trust with enough fidelity that access behaves as it did before the incident.
Definitions vary across vendors because some recovery products treat this as backup and restore, while others reserve the term for item-level directory restoration. In NHI security, the distinction matters: restoring the object alone is not enough if its attached permissions, metadata, or dependency links are lost. That is why recovery planning should align with control expectations in the NIST Cybersecurity Framework 2.0 and with lifecycle guidance discussed in the Ultimate Guide to NHIs.
The most common misapplication is treating directory-level restore as granular recovery, which occurs when teams bring back an account entry but lose the memberships, bindings, or policy inheritance that made the identity functional.
Examples and Use Cases
Implementing granular recovery rigorously often introduces dependency-tracking overhead, requiring organisations to weigh faster incident recovery against the complexity of preserving linked identity state.
- Restoring a deleted service account while preserving its application role bindings so batch jobs resume without manual reconfiguration.
- Recovering a rotated API key pair and the associated secret references after an erroneous cleanup in a CI/CD pipeline.
- Reinstating a directory group used by an agentic workflow, including nested membership and policy attachments, after accidental deletion.
- Returning a machine identity certificate and its trust relationship to an internal workload registry after a failed migration.
- Using a backup point to restore a compromised NHI record without rolling back unrelated identities or changing unrelated entitlements, as described in the Ultimate Guide to NHIs and in NIST identity resilience planning.
These use cases usually depend on testing whether the restored object still maps cleanly into policy and authorization logic defined by the identity platform and the NIST Cybersecurity Framework 2.0.
Why It Matters in NHI Security
Granular recovery is a governance issue, not just a backup feature. NHIs outnumber human identities by 25x to 50x in modern enterprises, and when a service account, secret, or workload credential is lost, the blast radius can extend into build systems, orchestration tools, and downstream applications. If recovery is too coarse, teams may reintroduce stale permissions or break trust chains. If it is too manual, restoration becomes slow enough to prolong outages and delay containment.
NHIMG research shows that only 5.7% of organisations have full visibility into their service accounts, which means many teams cannot confidently restore the right identity artifacts after an incident. Granular recovery therefore depends on accurate inventory, dependency mapping, and validated restore tests, not just storage of backup copies. The Ultimate Guide to NHIs highlights how weak NHI governance and poor rotation discipline compound recovery risk. Organisations typically encounter the need for granular recovery only after a deleted account, failed migration, or ransomware event, at which point precise restoration becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-08 | Recovery must preserve NHI relationships, not just objects, to avoid broken access after restore. |
| NIST CSF 2.0 | RC.RP-1 | Recovery planning covers restoration of systems and identity dependencies after disruption. |
| NIST SP 800-63 | Digital identity assurance depends on preserving authenticators and bound attributes during recovery. | |
| NIST Zero Trust (SP 800-207) | Zero Trust relies on continuous trust evaluation, so recovered identities must re-enter policy cleanly. |
Restore identity state without weakening assurance or detaching authenticators from their subject.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 9, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org