Provable basis

Expanded Definition

Provable basis is the record that lets an organisation reconstruct why an allow or deny decision happened at a specific moment, including the policy text, the inputs evaluated, and the version in force when the decision was made. In NHI governance, that means the decision is not just observable; it is explainable after the fact with evidence that can survive audit, incident review, and regulatory scrutiny.

This concept overlaps with logging and policy audit trails, but it is narrower and more demanding. A log entry may show that an API call was denied, while a provable basis shows which identity, secret, attribute, risk score, policy revision, and enforcement engine state produced that result. Definitions vary across vendors, but the operational requirement is consistent: a reviewer should be able to replay the decision context without guessing. That aligns closely with the evidence mindset reflected in NIST Cybersecurity Framework 2.0 and with NHI governance practices described in Ultimate Guide to NHIs.

The most common misapplication is treating generic logs as sufficient proof, which occurs when policy versions, evaluated attributes, and enforcement context are not preserved together.

Examples and Use Cases

Implementing provable basis rigorously often introduces retention and correlation overhead, requiring organisations to weigh stronger auditability against storage, performance, and privacy costs.

• A service account is denied access to a production secrets manager, and the decision record captures the exact RBAC policy, time-bound attributes, and policy version active at the moment.
• An AI agent is allowed to invoke a billing API only during a maintenance window, with evidence showing the request source, approval scope, and conditional rule that was evaluated.
• A JIT credential grant is later disputed during an incident review, and the team reconstructs the full approval chain, the ticket reference, and the issuance policy in force.
• A federation trust assertion fails, and the investigator uses preserved input claims and versioned trust policy to determine whether the deny was correct.
• An access review questions whether a token should have been accepted, and the evidence package shows the token class, issuer state, and control decision path.

These cases depend on more than raw telemetry. They require the decision record to tie directly to the policy baseline described in Ultimate Guide to NHIs, and where the enforcement model is standards-driven, to the identity assurance and access control expectations in the NIST Cybersecurity Framework 2.0.

Why It Matters in NHI Security

Without provable basis, NHI governance degrades into “trust the log,” which is not enough when service accounts, tokens, and AI agents are making machine-speed decisions across distributed systems. The result is weak incident reconstruction, disputed policy enforcement, and poor accountability when permissions are excessive or secrets are exposed.

This matters because NHI risk is already high: Ultimate Guide to NHIs reports that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys. When an organisation cannot prove why access was granted, it cannot reliably determine whether a deny was too strict, an allow was too broad, or a control failed silently. Provable basis also supports post-incident containment by showing which policy version and which credentials were active when exposure began. That makes it a governance control as much as a technical one, especially in environments applying the decision transparency expectations reflected in NIST Cybersecurity Framework 2.0.

Organisations typically encounter the need for provable basis only after a breach, a compliance challenge, or a disputed deny decision, at which point the evidence trail becomes operationally unavoidable to address.