Controls and operating practices designed to reduce the chance that pressure, fatigue, urgency, or confusion leads to a security decision an attacker can exploit. It extends beyond awareness training into approval design, escalation handling, and privileged workflow structure.
Expanded Definition
Human defence is the set of controls that reduce the chance a person will make a security decision under pressure, fatigue, urgency, or confusion that an attacker can exploit. In NHI security, it covers approval paths, exception handling, escalation design, and privileged workflow structure, not just training.
Definitions vary across vendors, but the core idea is consistent: security programs should shape the decision environment so that human error is harder to exploit. That makes human defence closely related to NIST Cybersecurity Framework 2.0 governance and protection functions, especially where access requests, break-glass use, and token issuance depend on a person’s judgment. In practice, it also sits beside NHI lifecycle controls because people often authorise, renew, or bypass controls on behalf of machine identities.
Human defence is different from general awareness training because it changes the workflow itself. A strong approval model can prevent a rushed manager from approving a risky API key, and a well-designed escalation path can stop a confused operator from over-granting access during an incident. The most common misapplication is treating human defence as a training-only problem, which occurs when organisations ignore the approval chain, interface design, and privilege concentration that drive risky decisions.
Examples and Use Cases
Implementing human defence rigorously often introduces friction, requiring organisations to weigh faster operational response against safer decision-making under pressure.
- A cloud team requires dual approval for new service account privileges during business hours and a stricter path for after-hours exceptions, reducing rushed overprovisioning.
- An incident response runbook forces ticketed justification before emergency token creation, so a stressed responder cannot create long-lived secrets without review.
- A platform team replaces free-form Slack approvals with structured forms that include scope, expiry, and owner fields, making bad requests easier to spot.
- A security review board audits delegated access paths for AI agents and service accounts, using guidance from the Ultimate Guide to NHIs to reduce privilege creep.
- An engineering organisation aligns privileged workflow design with NIST Cybersecurity Framework 2.0 so that approvals, logging, and revocation are consistent across teams.
These patterns matter most where a person is the last control before a machine identity is issued, renewed, or expanded. Human defence is therefore both a usability problem and a governance control.
Why It Matters in NHI Security
Human defence becomes critical because attackers routinely target the person who can authorize access rather than the system that enforces it. In NHI programs, the pressure point is often a rushed approval for a secret, a temporary exception that becomes permanent, or a manager who signs off without understanding blast radius. NHIMG reports that 97% of NHIs carry excessive privileges, and that is not just a technical failure; it is often the downstream result of unsafe human decisions and weak approval design in the first place, as discussed in the Ultimate Guide to NHIs.
For governance teams, human defence reduces the chance that urgency becomes policy bypass. It also supports better separation of duties when a person is asked to approve access that they should not directly benefit from. This is especially important for service accounts, API keys, and break-glass credentials, where a single mistaken click can create a durable compromise path. Organisational controls should therefore assume that fatigue, context switching, and incident stress are normal conditions, not edge cases.
Organisations typically encounter the consequences only after a secret leak, privilege abuse, or emergency access misuse, at which point human defence becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Human approval errors often lead to secret sprawl and weak NHI handling. |
| NIST CSF 2.0 | GV.OV-01 | Governance must shape human decisions that affect access and exceptions. |
| NIST CSF 2.0 | PR.AC-1 | Access control decisions depend on human workflows that can be pressured or bypassed. |
Embed approval, escalation, and exception controls into security governance and oversight.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 20, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
