A risk policy defines which combinations of functions, roles, or entitlements are unacceptable. It turns governance intent into an enforceable rule set that access management and recertification workflows can evaluate before or after access is granted.
Expanded Definition
A risk policy is the governance layer that states which combinations of functions, roles, entitlements, or conditions are not acceptable for a Non-Human Identity. It differs from a general access policy because it is written to express risk tolerance, not just permission logic.
In NHI and IAM programs, a risk policy often acts as the decision rule behind recertification, access requests, and exception handling. It can block a service account from holding both provisioning and approval rights, flag an API key with unusually broad reach, or require additional review when an agent can invoke high-impact tools. Definitions vary across vendors, but the operational intent is consistent: convert policy into an enforceable control that can be evaluated by workflow or automation. For governance alignment, NIST’s NIST Cybersecurity Framework 2.0 reinforces the need to manage access and risk as continuous functions, not one-time approvals. NHIMG’s Ultimate Guide to NHIs — Regulatory and Audit Perspectives ties that expectation to auditability and control evidence.
The most common misapplication is treating a risk policy as a static approval checklist, which occurs when teams define it once but never connect it to changing entitlements, workload context, or recertification outcomes.
Examples and Use Cases
Implementing a risk policy rigorously often introduces review overhead, requiring organisations to weigh tighter control against faster automation and lower friction for legitimate machine actions.
- A CI/CD service account is denied permission to both write to production infrastructure and approve its own deployment, because the role combination violates separation of duties.
- An AI agent is allowed to read customer tickets but not trigger payments, because the policy treats financial execution as a higher-risk entitlement set.
- An API key used by a third-party integration is recertified only when its scope changes, reflecting the guidance in Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs.
- A secrets manager policy blocks long-lived credentials from being stored in code or config files, echoing the risk patterns covered in Top 10 NHI Issues.
- A privileged bot is forced into an exception workflow when it requests both directory admin rights and ticketing-system write access, because the combination exceeds approved risk tolerance.
These examples align with identity governance guidance in NIST Cybersecurity Framework 2.0, where access decisions should be grounded in ongoing risk treatment, not isolated grants.
Why It Matters in NHI Security
Risk policy becomes critical because NHI environments scale faster than human oversight. NHIMG reports that Ultimate Guide to NHIs shows 97% of NHIs carry excessive privileges and 68% of organisations do not know how to fully address NHI risks. That combination means policy gaps are not theoretical: they become exposed attack paths.
When a risk policy is missing or too vague, organisations often inherit inconsistent decisions across PAM, IAM, recertification, and engineering workflows. The result is privilege accumulation, conflicting approvals, and exceptions that persist long after their original justification has expired. NHIMG’s Ultimate Guide to NHIs — Why NHI Security Matters Now is relevant here because it frames NHI governance as an operational necessity, not a documentation exercise. The 2024 ESG Report: Managing Non-Human Identities also shows how compromised NHIs repeatedly drive enterprise incidents, which is exactly what weak risk rules fail to prevent.
Organisations typically encounter this consequence only after a service account is abused, at which point risk policy becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Risk policy helps define forbidden NHI privilege combinations and unsafe access patterns. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions should be governed by least privilege and risk-based approval. |
| NIST Zero Trust (SP 800-207) | AC-4 | Zero Trust requires continuous policy evaluation of access context and privilege. |
Block disallowed NHI role and entitlement combinations before they can be approved or inherited.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 22, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
