Reasonable Efforts

Expanded Definition

Reasonable efforts is a defensible, evidence-backed standard of care: the organisation does not need to eliminate every risk, but it does need to show that it applied proportionate safeguards, reviewed the exposure, and acted consistently with policy, regulation, and operational context. In PHI and NHI-adjacent governance, the term is often used to describe what an organisation can prove it did to protect data when ideal controls were not practical. That makes the phrase less about perfection and more about judgment, documentation, and repeatability.

In practice, reasonable efforts may include scoping access by role, limiting standing privileges, enabling logging, encrypting secrets and sensitive records, training operators, and maintaining a review cadence that can survive audit scrutiny. The concept is closely aligned with risk-based control selection in the NIST Cybersecurity Framework 2.0, although no single standard governs the phrase itself. Guidance varies by regulator and jurisdiction, so organisations should treat reasonable efforts as an evidentiary posture, not a checklist. The most common misapplication is treating policy language as proof, which occurs when organisations write controls they do not actually operate or cannot document.

Examples and Use Cases

Implementing reasonable efforts rigorously often introduces operational overhead, requiring organisations to weigh faster delivery and broader access against stronger proof of due care.

• A healthcare provider limits PHI access to named operational roles, keeps logs for privileged actions, and documents quarterly access reviews to show that access was actively managed.
• An engineering team stores API keys in a secrets manager, rotates them on a defined schedule, and records exceptions when legacy systems prevent immediate replacement, reflecting defensible compensation rather than neglect. See the Ultimate Guide to NHIs for why secret handling and rotation failures often become breach multipliers.
• A security team applies encryption at rest, monitors service-account use, and limits human access to break-glass procedures only, aligning operational controls with the minimum necessary principle.
• A compliance group performs periodic evidence collection, including training records, access attestations, and exception approvals, so that “reasonable efforts” can be demonstrated during investigation.
• Where NHI sprawl is high, teams use the NIST Cybersecurity Framework 2.0 to structure governance, then map controls to the specific PHI handling workflow in scope.

Why It Matters in NHI Security

Reasonable efforts matters because NHI environments fail quietly when access is left broad, secrets are reused, and ownership is unclear. NHIMG research shows that 97% of NHIs carry excessive privileges, 79% of organisations have experienced secrets leaks, and 96% store secrets outside of secrets managers in vulnerable locations, which means “we tried” is rarely persuasive without records. The practical question is whether the organisation can show that it reduced avoidable exposure, not whether it achieved an ideal state.

This is especially important in incident response and audit defense. If a service account, API key, or integration token is exposed, investigators will look for evidence of least privilege, rotation, logging, and review. The Ultimate Guide to NHIs also notes that 90% of IT leaders see proper NHI management as essential to zero trust, reinforcing that reasonable efforts is not a legal abstraction but an operational discipline. Organisations typically encounter the limits of reasonable efforts only after a breach, when missing logs, stale keys, or undocumented exceptions make the term operationally unavoidable to address.

Related resources from NHI Mgmt Group

• Why do NHIs complicate zero trust and least privilege efforts?
• Why do legacy applications slow down modernization efforts?
• How should leaders measure whether inclusion efforts are working?