Subscribe to the Non-Human & AI Identity Journal
Home Glossary Minimum Viable Operations

Minimum Viable Operations

← Back to Glossary
By NHI Mgmt Group Updated July 9, 2026

The smallest set of systems, identities, data, and processes needed to keep a business running at an acceptable level during disruption. It helps organisations prioritise restoration and avoid treating every service as equally urgent.

Expanded Definition

Minimum Viable Operations is the minimum capability set an organisation must preserve during disruption so it can continue essential services, protect critical records, and avoid wasting recovery effort on low-priority functions. In practice, it sits between business continuity planning and technical recovery because it defines what must stay available, not just what can be restored eventually. In security and identity programs, the scope often includes the service accounts, secrets, access paths, and data dependencies that keep core workflows alive, which makes it highly relevant to NHI governance and zero trust restoration planning. Standards do not treat the term as a single formal control objective, so usage in the industry is still evolving and often varies by resilience maturity.

For operational translation, teams frequently map this concept to critical service tiers, dependency graphs, and fallback access models aligned with NIST SP 800-53 Rev 5 Security and Privacy Controls. The most common misapplication is treating minimum viable operations as a generic outage checklist, which occurs when organisations list systems without identifying the identities, secrets, and downstream processes required to run them.

Examples and Use Cases

Implementing minimum viable operations rigorously often introduces scope reduction and dependency discipline, requiring organisations to weigh faster recovery against the inconvenience of limiting what can be restarted immediately.

  • A payments platform restores only authentication, transaction routing, ledger writes, and fraud monitoring before bringing back reporting dashboards and nonessential analytics.
  • An enterprise keeps its identity provider, privileged access path, DNS, and backup vault reachable so administrators can re-establish control during a regional outage.
  • A healthcare provider prioritises patient record access, prescribing workflows, and audit logging while deferring low-criticality collaboration tools until later.
  • An NHI program defines which service accounts, API keys, and certificates must be rotated or reissued first after compromise, using guidance from the Ultimate Guide to NHIs.
  • A cloud engineering team documents a recovery path that depends on secrets managers, CI/CD access, and break-glass credentials, then tests it against NIST SP 800-53 Rev 5 Security and Privacy Controls.

Because NHIs often outnumber human identities by 25x to 50x in modern enterprises, the “minimum” in minimum viable operations frequently depends more on machine identity than on user access.

Why It Matters for Security Teams

Security teams use minimum viable operations to separate survivable disruption from total operational collapse. Without it, recovery plans tend to over-focus on servers and ignore the credentials, certificates, and service dependencies needed to actually use those systems. That gap becomes especially dangerous in NHI-heavy environments, where service accounts and API keys can be the hidden blockers that stop restoration even after infrastructure is rebuilt. NHIMG research shows only 5.7% of organisations have full visibility into their service accounts, which means most recovery plans are built on incomplete identity inventories. The same research also shows 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, underscoring why identity scope belongs in continuity planning, not just in IAM operations.

Minimum viable operations also helps security leaders decide what to isolate, what to restore first, and what to keep offline until trust is re-established. That makes it a practical input to crisis response, not a theoretical planning term. Organisations typically encounter the real meaning of minimum viable operations only after a major outage or compromise reveals that critical systems were restored without the identities and secrets needed to run them, at which point the concept becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0RC.RP-1Recovery planning is the closest CSF fit for defining essential restoration priorities.
NIST SP 800-53 Rev 5CP-2Contingency planning under CP-2 supports identifying essential services and dependencies.
OWASP Non-Human Identity Top 10NHI-01NHI inventory and governance are needed to know which machine identities are mission critical.
NIST Zero Trust (SP 800-207)Zero Trust relies on continuous access decisions for the identities supporting essential operations.
NIST SP 800-63AAL2Identity assurance matters when break-glass and administrative access are part of recovery.

Define minimum viable operations in the recovery plan and restore only the functions needed to sustain critical services.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 9, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org