Minimum Viable Company is the smallest level of identity and application capacity needed for the business to operate after a recovery event. It shifts the recovery question from whether a system is online to whether enough trusted access exists for critical services to function.
Expanded Definition
Minimum Viable Company is an operational resilience concept for identity-first recovery. It describes the smallest trusted identity footprint, application set, and access model needed for the business to resume core functions after disruption. In NHI terms, the question is not simply whether servers are back online, but whether service accounts, API keys, certificates, automation identities, and recovery roles exist in a state that can safely support critical workflows. This aligns with the identity-centric approach emphasized in the NIST Cybersecurity Framework 2.0, especially when recovery depends on protecting and restoring trusted access before broad business operations can restart.
Usage in the industry is still evolving, and definitions vary across vendors and resilience programs. Some teams treat Minimum Viable Company as a recovery mode, while others use it as a planning threshold for continuity exercises, disaster recovery, or ransomware restoration. The useful distinction is that it focuses on business viability, not full restoration. A company may intentionally delay non-essential systems, integrations, and dormant identities until the core trust boundary is re-established. The most common misapplication is treating it as a generic cut-down infrastructure plan, which occurs when teams restore applications without first validating the identities and secrets those applications depend on.
Examples and Use Cases
Implementing Minimum Viable Company rigorously often introduces a tradeoff between faster restart and tighter control, requiring organisations to balance speed of recovery against the risk of reintroducing excessive access or stale secrets.
- A payment processor restores only the identities required for transaction authorization, fraud checks, and customer support, while delaying analytics and noncritical batch jobs until access reviews are complete.
- A manufacturer brings back the smallest set of service accounts and machine certificates needed for production scheduling, then validates them against recovery playbooks and the NIST Cybersecurity Framework 2.0 recovery outcomes.
- A SaaS provider rebuilds its control plane with a minimal set of privileged identities, using lessons from the Ultimate Guide to NHIs to avoid restoring dormant API keys that could widen the blast radius.
- An enterprise running ransomware tabletop exercises defines a Minimum Viable Company state where customer-facing support, payroll, and incident communications work even if secondary integrations remain offline.
- A healthcare organisation prioritizes identity recovery for EHR access, backup operators, and signing keys before re-enabling automation that could propagate corrupted credentials.
In practice, the model is most valuable when recovery steps are tested in advance and identity dependencies are mapped to each essential business capability, not guessed during an outage.
Why It Matters in NHI Security
Minimum Viable Company matters because identity failure often becomes the real recovery bottleneck. If the right service accounts, certificates, and secrets are unavailable, or if they are restored too broadly, the organisation may technically be “up” while still unable to operate safely. NHI risk research shows that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, which is why recovery planning must account for privileged automation as carefully as human access. The same guidance appears in the Ultimate Guide to NHIs, where visibility, rotation, and offboarding are presented as essential controls rather than optional hygiene.
Practitioners also need to treat this as a governance issue, not just a technical one. A recovery state that restores business flow but leaves excess NHI privilege in place can create a second incident immediately after the first. That is why Minimum Viable Company should be paired with ZTA, PAM, and disciplined secret handling, as reflected in NIST Cybersecurity Framework 2.0 guidance on resilience and access control. Organisations typically encounter the importance of this concept only after a major outage or breach, at which point Minimum Viable Company becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST Zero Trust (SP 800-207) | Zero Trust requires verifying access before restored services can be trusted. | |
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers secret sprawl and improper storage that can break recovery trust. |
| NIST CSF 2.0 | RC.RP-1 | Recovery planning defines the sequence needed to resume critical business functions. |
Restore only verified identities and limit access until each service is revalidated.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
