A layered data design that separates raw ingestion, cleansed transformation, and curated analytics outputs. It gives teams clearer control points for quality, lineage, and reporting consistency, which is why it is widely used in governed data platforms.
Expanded Definition
Medallion architecture is a governed data pipeline pattern that organises data into layers, usually raw ingestion, cleansed transformation, and curated serving. In NHI-managed platforms, the pattern matters because each layer creates a distinct control point for NIST Cybersecurity Framework 2.0 functions such as identify, protect, and detect, especially where service accounts, API keys, and automated jobs move data between zones.
Definitions vary across vendors on layer names and how many layers are required, but the core idea is stable: separate trust levels so teams can validate quality before data becomes broadly consumable. That separation also supports lineage, recovery, and access decisions, which is why NHI Management Group treats it as a governance pattern rather than a storage format. Medallion design is often discussed alongside data mesh, lakehouse, and analytics engineering, yet it is not the same thing as any of those. The most common misapplication is treating the layers as a naming convention only, which occurs when organisations move data forward without enforcing identity, permission, and validation boundaries at each stage.
Examples and Use Cases
Implementing medallion architecture rigorously often introduces pipeline complexity and stricter access controls, requiring organisations to weigh faster analytics delivery against stronger validation and auditability.
- A raw ingestion layer receives event streams from applications using short-lived credentials, then quarantines malformed records before they can influence reporting.
- A transformation layer applies deduplication, schema enforcement, and enrichment, with one service account restricted to write only into that layer.
- A curated layer publishes trusted datasets to dashboards and downstream AI features after lineage checks and quality thresholds pass.
- Operational teams use the pattern to isolate noisy source systems so a broken ingest job does not overwrite trusted business metrics.
- Security teams map every job identity to its data touchpoints, which helps with reviews described in the Ultimate Guide to NHIs and with access governance expectations in NIST Cybersecurity Framework 2.0.
In practice, the pattern is also used to separate experimental AI feeds from production-grade reporting, so teams can prove which dataset was approved, when, and by which automated actor. That distinction becomes important when multiple pipelines share the same underlying storage.
Why It Matters in NHI Security
Medallion architecture becomes an NHI security concern because the pipeline often depends on machine identities that can read, transform, and republish sensitive data at machine speed. If those identities are overprivileged, poorly rotated, or reused across layers, the architecture that was meant to reduce risk can instead amplify blast radius. NHI Management Group notes that Ultimate Guide to NHIs reports 97% of NHIs carry excessive privileges, and 71% are not rotated within recommended time frames, which directly undermines layered trust.
This is why the pattern should be understood as both a data governance control and an identity boundary model. Lineage alone does not secure the workflow if the same token can promote data from raw to curated without separation of duties. When an ingest key leaks, a misconfigured transformation job silently rewrites records, or a publishing credential is reused in another environment, the failure is not just data quality. It becomes an identity and access event that can distort analytics, compromise downstream automations, and weaken incident response. Organisations typically encounter the need to harden medallion controls only after a bad dataset, a credential leak, or an audit exception exposes how much the pipeline depended on unattended machine access.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Layered pipelines often fail through secret sprawl and overprivileged service accounts. |
| NIST CSF 2.0 | PR.AC-4 | Medallion controls depend on managing identities and access across pipeline stages. |
| NIST Zero Trust (SP 800-207) | SC.L1 | Zero Trust supports layer-by-layer verification instead of implicit pipeline trust. |
Restrict each medallion layer to separate NHI credentials and audit secret handling at every promotion step.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
