The identity of the actual running process that generated a request, not just the pod, container, or proxy carrying it. In workload security, process identity matters because transport-level authentication can succeed even when the wrong runtime actor is speaking through a shared boundary.
Expanded Definition
Process identity is the identity of the actual running process that emits a request, rather than the broader host, pod, container, or gateway that forwards it. In NHI security, that distinction matters because transport authentication can prove a channel is trusted while still failing to prove which runtime actor inside the boundary initiated the call. NIST Cybersecurity Framework 2.0 frames this as part of governance and access control discipline, while identity-centric workload controls increasingly treat runtime proof as separate from infrastructure membership through NIST Cybersecurity Framework 2.0.
Definitions vary across vendors because some tools infer process identity from kernel signals, some from sidecar metadata, and others from workload attestation or issued workload credentials. The practical goal is the same: bind an action to the precise executable context that caused it. That is different from RBAC, which answers whether an identity is allowed to act, not whether the correct process is actually acting. The most common misapplication is treating pod identity or service account identity as proof of process identity, which occurs when multiple runtimes share the same network boundary.
Examples and Use Cases
Implementing process identity rigorously often introduces runtime and telemetry overhead, requiring organisations to weigh stronger attribution against added engineering complexity.
- A payment service runs two processes in one container, and only one should be allowed to mint tokens. Process identity lets security tooling distinguish the token broker from a background job.
- A sidecar proxy forwards requests for several internal executables. The proxy authenticates the workload, but process identity determines which executable actually requested the downstream secret.
- A build agent launches ephemeral helpers during CI/CD. Linking actions to process identity helps separate the approved pipeline controller from a suspicious subprocess, a pattern often seen in NHI incidents discussed in the 52 NHI Breaches Analysis.
- An API gateway presents a shared service account to the target service. Process identity is used to validate whether the request came from the intended daemon or from another local process abusing the same credential path.
- Workload attestation and secret delivery are combined so that only the specific executable lifecycle can obtain a token, aligning with the lifecycle guidance in Ultimate Guide to NHIs and runtime identity guidance from SPIFFE.
Why It Matters in NHI Security
Process identity becomes critical when secrets, tokens, or privileged APIs are accessible from shared runtime environments. NHIMG reports that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, and that only 5.7% of organisations have full visibility into their service accounts. Those conditions make it easy for an attacker to reuse a valid workload credential from the wrong process and remain invisible unless runtime attribution exists. The broader problem is highlighted in the Top 10 NHI Issues, where secret sprawl and weak visibility compound each other.
This term also matters for Zero Trust Architecture, where trust must follow verified context rather than assumed network position. A process-level view supports better containment, more accurate incident response, and cleaner offboarding of compromised automation. It also helps explain why a seemingly valid request should still be denied when the wrong executable is speaking through a shared service boundary. Organisations typically encounter the need for process identity only after a breach, token misuse, or lateral movement incident exposes that the wrong runtime actor had been operating under a valid workload credential.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Process identity reduces misuse of workload secrets and shared credentials. |
| NIST Zero Trust (SP 800-207) | 2-3 | Zero Trust requires continuous verification of workload context, not just network location. |
| NIST CSF 2.0 | PR.AC | Access control must distinguish the acting process from the transport boundary. |
Map workload permissions to process-level signals and remove assumptions based on pod or host identity.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
