Automated or semi-automated processing that evaluates personal aspects about a person, often to support decisions with legal or similarly significant effects. Governance depends on being able to explain inputs, logic, and downstream use, not just the model or rules engine itself.
Expanded Definition
Profiling is not just analysis; it is a governance-sensitive processing activity that turns data about a person into inferences, scores, classifications, or eligibility signals. Under privacy and security practice, the important question is not whether a rules engine or machine learning model was used, but whether the processing can affect a person in ways that are consequential, opaque, or difficult to contest.
Definitions vary across vendors and regulatory regimes, but the core risk is consistent: profiling can combine direct identifiers, behavioural signals, device data, and contextual attributes to produce an automated judgment. That makes traceability, explainability, and purpose limitation central controls, especially when profiling informs access decisions, fraud triage, hiring workflows, or customer treatment. The NIST Cybersecurity Framework 2.0 is relevant here because organisations need to govern data flows, decision systems, and accountability boundaries, not simply secure the underlying technology.
The most common misapplication is treating any analytics dashboard as harmless reporting, which occurs when teams ignore that the output is being used to make decisions about a person.
Examples and Use Cases
Implementing profiling rigorously often introduces review and documentation overhead, requiring organisations to weigh decision quality and automation speed against transparency, fairness, and legal defensibility.
- A lender uses transaction history and device signals to generate a creditworthiness score that influences approval, pricing, or manual review thresholds.
- A fraud platform assigns risk scores to account activity and flags users for step-up verification or temporary restriction.
- A recruitment system ranks candidates from résumés, assessments, and behavioural patterns, creating a profile that shapes shortlisting.
- An insurer combines health-adjacent data and behavioural indicators to segment customers for underwriting or premium decisions.
- A security team profiles user behaviour to identify anomalous access, a use case that overlaps with identity governance when it triggers privileged workflow changes.
NHIMG research shows that identity-related automation can create real operational risk when controls are weak: the Ultimate Guide to NHIs reports that 97% of NHIs carry excessive privileges, which is a reminder that any profiling model tied to access or response workflows must be tightly scoped. In practice, profiling becomes especially sensitive when the same logic is reused across different business functions without revalidating the purpose or impact. The NIST Cybersecurity Framework 2.0 is also useful when organisations need to map profiling data flows to governed processes and accountable owners.
Why It Matters for Security Teams
Security teams need to understand profiling because it can turn ordinary telemetry into decisions that change access, trust, or treatment. When profiling is inaccurate, biased, or poorly documented, organisations can create avoidable legal exposure, weak auditability, and disputes over automated decisions. When it intersects with identity or agentic AI, the risk grows further: a profile may influence whether a human is challenged, whether an NHI is trusted, or whether an AI agent is allowed to proceed with a tool action.
That matters operationally because profiling often sits behind security controls, fraud controls, and customer workflows without being visible to the people affected. NHIMG data shows only 5.7% of organisations have full visibility into their service accounts, and similar blind spots can exist in profiling systems where inputs, thresholds, and downstream use are not clearly owned. The Ultimate Guide to NHIs highlights how poor visibility and excessive privilege combine into broader exposure, while NIST Cybersecurity Framework 2.0 reinforces the need for governance, monitoring, and response discipline.
Organisations typically encounter profiling risk only after a denied decision, customer complaint, audit finding, or model incident exposes how the profile was created, at which point profiling becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 address the attack surface, NIST CSF 2.0, NIST AI RMF and NIST SP 800-63 set the technical controls, and EU AI Act define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OV-01 | Profiling needs oversight, traceability, and accountability across decision flows. |
| NIST AI RMF | GOVERN | AI governance applies when profiling uses automated inference or scoring. |
| NIST SP 800-63 | IAL2 | Identity evidence and assurance matter when profiling affects access or verification. |
| EU AI Act | Certain profiling uses can be regulated when they produce significant effects. | |
| OWASP Agentic AI Top 10 | Agentic systems may profile users or context before tool execution decisions. |
Assign owners, monitor decision logic, and review profiling use cases for governance gaps.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org