Subscribe to the Non-Human & AI Identity Journal
Home Glossary Cyber Security Interaction Data
Cyber Security

Interaction Data

← Back to Glossary
By NHI Mgmt Group Updated July 11, 2026 Domain: Cyber Security

The behavioural and technical evidence generated by a user during a transaction, including device signals, geolocation, connection type, and navigation patterns. Fraud teams use it to estimate whether the actor behaves like a legitimate customer or a malicious actor.

Expanded Definition

Interaction data is the collection of behavioural, environmental, and technical signals produced while a person or system completes a digital interaction. In fraud and identity workflows, it can include device fingerprint characteristics, IP and network attributes, session timing, navigation sequence, browser state, and location-related indicators. The term is often used alongside, but not interchangeably with, transaction data, which focuses on the business event itself rather than the context surrounding it.

Definitions vary across vendors because some platforms treat interaction data as a narrow set of telemetry points, while others extend it to include risk signals, session metadata, and historical behaviour patterns. For NHI and agentic AI use cases, the concept matters because software agents also generate interaction data when they authenticate, call tools, or traverse workflows. That makes the data useful for distinguishing legitimate automation from anomalous or hostile activity, provided collection is governed and the signal is interpreted in context.

For security teams, the strongest reference point is still control-oriented thinking, such as the evidence, logging, and monitoring expectations described in NIST SP 800-53 Rev 5 Security and Privacy Controls. The most common misapplication is treating interaction data as proof of identity, which occurs when teams over-trust behavioural signals without validating the underlying account, device, or session.

Examples and Use Cases

Implementing interaction data rigorously often introduces privacy, data minimisation, and model-governance constraints, requiring organisations to weigh stronger fraud detection against narrower collection and retention boundaries.

  • Fraud scoring during account login, where keystroke cadence, device reputation, and unusual geolocation shifts help identify account takeover attempts.
  • Step-up authentication decisions, where a low-risk session with familiar navigation patterns may avoid friction, while a high-risk session triggers additional checks.
  • Bot and automation detection, where repetitive page flows, unrealistic timing, or inconsistent browser signals indicate scripted abuse rather than a human customer.
  • Agentic AI monitoring, where an autonomous agent’s tool calls, session continuity, and request cadence are analysed as interaction data to spot misuse or prompt injection effects.
  • Case investigation and tuning, where analysts compare interaction data with known-good and known-bad sessions to refine risk rules and reduce false positives.

For teams aligning technical telemetry with broader identity controls, the NIST SP 800-63B Digital Identity Guidelines help anchor how authentication strength and session evidence should be interpreted, even when the interaction data itself is not a credential.

Why It Matters for Security Teams

Interaction data is valuable because it adds context to identity decisions, but it can also create false confidence if teams assume behavioural similarity equals trust. In fraud prevention, identity verification, and NHI monitoring, the real challenge is separating signal from noise: a legitimate user may appear unusual because of travel, accessibility tools, or network change, while a malicious actor may mimic normal patterns well enough to bypass simplistic rules.

Security teams need clear governance for collection, retention, and review, especially when interaction data is used in automated decision-making. That includes defining which signals are material, how long they are stored, who can access them, and how exceptions are handled. When interaction data is tied to NHI or agentic AI, the governance bar rises further because automated entities can generate high-volume, repeatable, and sometimes deceptive telemetry that looks stable until the system is abused. In that setting, monitoring must distinguish authorised automation from compromised or over-permissioned agents.

Organisations typically encounter the operational cost of weak interaction-data governance only after a fraud event, an account takeover, or a false-blocking incident, at which point the term becomes operationally unavoidable to investigate and correct.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63, NIST AI RMF and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0DE.CM-1Interaction data supports continuous monitoring of user and system activity.
NIST SP 800-63SP 800-63BBehavioural and session signals inform digital identity and authentication assurance.
NIST AI RMFAI RMF governance supports managing behavioural data used in automated risk decisions.
OWASP Non-Human Identity Top 10NHI governance considers telemetry from non-human actors and their sessions.
NIST SP 800-53 Rev 5AU-2Audit logging controls align with capturing interaction evidence for security decisions.

Treat interaction data as supporting evidence, not a substitute for authenticated identity proofing.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org