These are the four attribute groups ABAC commonly uses to make a decision. Subject describes the requester, resource describes the target, environment captures context, and action defines the operation. Together they form the policy inputs that determine whether access is appropriate in the moment.
Expanded Definition
Subject, resource, environment, and action are the four attribute groups most commonly used in attribute-based access control, or ABAC, to evaluate a request at decision time. They are not four independent policies; they are the inputs a policy engine weighs together.
Subject describes the requester, such as a service account, API client, agent, or workload identity. Resource identifies the target object, including a secret, endpoint, file, or cloud API. Environment captures context like time, network zone, device posture, and risk signals. Action defines the intended operation, such as read, write, rotate, approve, or execute. In practice, this model is often paired with Zero Trust Architecture guidance in NIST Cybersecurity Framework 2.0 and NIST Cybersecurity Framework 2.0-aligned access governance, although definitions vary across vendors when they blend ABAC with RBAC or policy-as-code models.
The most common misapplication is treating subject attributes as enough on their own, which occurs when teams ignore environment and action context and then overgrant access to static identities.
Examples and Use Cases
Implementing these attributes rigorously often introduces policy complexity, requiring organisations to weigh finer-grained control against the cost of designing, testing, and maintaining more rules.
- A CI/CD agent may be allowed to read deployment secrets only when the resource matches a production vault, the environment is a trusted pipeline, and the action is read rather than update.
- An automation workload may receive JIT access to a cloud API only if the subject is a known NHI, the request arrives from an approved network segment, and the environment score is below a defined risk threshold.
- A database administration agent may be permitted to rotate credentials after hours, but not to export them, because the action attribute differentiates maintenance from exfiltration.
- An incident response workflow may allow a privileged agent to quarantine a resource during a live event, while blocking the same subject from changing policy settings outside an approved window.
- NHI researchers have shown how credential misuse can escalate quickly when request context is not evaluated carefully, as seen in the ASP.NET machine keys RCE attack, where compromise of a secret changed the meaning of every downstream request.
That same context-aware approach is consistent with NIST Cybersecurity Framework 2.0, which encourages access decisions that reflect asset, identity, and situational conditions rather than static allowlists alone.
Why It Matters in NHI Security
For NHI security, these attributes are the difference between a policy that merely authenticates and a policy that actually constrains risk. Service accounts, agents, and API keys often operate faster and more broadly than human users, so weak attribute evaluation can turn a single credential into unrestricted access across environments.
NHIMG research shows that only 5.7% of organisations have full visibility into their service accounts, which makes it difficult to know whether subject, resource, environment, and action rules are truly enforcing least privilege. That visibility gap is especially dangerous when credentials are long-lived, third parties are involved, or an agent can call tools autonomously. The same pattern appears in the ASP.NET machine keys RCE attack, where one exposed secret changed a bounded permission model into an execution path for attackers.
For NHI programmes, these attributes also support practical control mapping across NIST Cybersecurity Framework 2.0 and Zero Trust Architecture by making access decisions conditional rather than permanent. Organisations typically encounter the need to formalise these attributes only after a secret leak, an over-permissioned agent, or an unexpected execution event, at which point the model becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | ABAC attributes help constrain NHI access by identity, resource, context, and operation. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions should be evaluated and enforced according to contextual policy. |
| NIST Zero Trust (SP 800-207) | Policy Engine | Zero Trust decisions rely on subject, resource, and environment signals before granting access. |
Feed subject, resource, environment, and action signals into the policy engine for every request.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on May 30, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
