Profiles

Expanded Definition

In NIST CSF 2.0, a profile is a practical view of current cybersecurity outcomes and a desired target state, used to identify gaps, prioritise remediation, and track progress. For NHI programmes, profiles help expose where policy says access is controlled but operational reality differs across service accounts, API keys, certificates, and automation tooling. NIST’s NIST Cybersecurity Framework 2.0 treats profiles as a planning and communication mechanism, not a control set by themselves, so the value comes from accurate mapping and honest scoring. In identity governance, a profile becomes most useful when it distinguishes human access from machine access, because those populations behave differently and fail in different ways. NHIMG’s Ultimate Guide to NHIs shows why that separation matters: organisations often overestimate control coverage when secrets, service accounts, and CI/CD credentials are spread across environments. The most common misapplication is treating a profile as a static compliance document, which occurs when teams update the target state without validating the actual state against live identity inventory and access paths.

Examples and Use Cases

Implementing profiles rigorously often introduces assessment overhead, requiring organisations to weigh clearer governance visibility against the cost of maintaining accurate evidence across fast-moving systems.

• A security team creates a current-state profile for service-account governance and compares it with a target state that requires inventory, ownership, and rotation for every machine identity.
• An IAM programme uses a profile to show that secrets are stored in code and CI/CD variables, then sets a target state aligned to centralised secrets management and approval workflows, a pattern discussed in the Ultimate Guide to NHIs.
• A cloud operations team defines separate profiles for production and non-production environments because the acceptable controls for break-glass automation differ by risk tier.
• A risk owner maps the organisation’s current profile to the NIST Cybersecurity Framework 2.0 and uses the gap analysis to justify remediation funding.
• A merger integration team compares two acquired entities’ profiles to identify duplicated service accounts, unmanaged tokens, and inconsistent offboarding practices before consolidation.

Why It Matters in NHI Security

Profiles matter because they convert scattered findings into a governance story that leaders can act on. In NHI security, that story often reveals that “controlled on paper” access is not controlled in operation: secrets are embedded in code, service accounts persist after projects end, and rotation processes are incomplete. NHIMG reports that only 5.7% of organisations have full visibility into their service accounts, which makes a current-state profile especially valuable for exposing blind spots before they become incidents. Profiles also create a defensible target state for Zero Trust, because no-ZSP or least-privilege ambition cannot be measured if the organisation lacks a baseline. The broader lesson in the Ultimate Guide to NHIs is that machine identities multiply faster than governance processes, so the profile has to reflect operational truth, not policy intent alone. Organisations typically encounter profile-driven remediation urgency only after a breach review or audit finding exposes unmanaged service accounts, at which point the term becomes operationally unavoidable to address.

Related resources from NHI Mgmt Group

• How can organisations apply AI profiles to non-human identities?
• When do MCP profiles reduce risk, and when do they create false confidence?
• How should IAM teams structure access profiles for better access reviews?
• When do access profiles reduce governance complexity instead of adding it?