Subscribe to the Non-Human & AI Identity Journal
Foundations & NHI Taxonomy

Tenant

← Back to Glossary
By NHI Mgmt Group Updated July 5, 2026 Domain: Foundations & NHI Taxonomy

A discrete customer configuration inside a shared identity platform. Each tenant carries its own domains, federation settings, and lifecycle relationships, which means migration work must preserve tenant-specific trust and routing rather than assuming one global configuration fits all.

Expanded Definition

In NHI and IAM contexts, a tenant is the isolated customer boundary inside a shared platform where identity routing, domains, federation trust, access policies, and lifecycle events are scoped. The key distinction is that tenant boundaries are operational and security boundaries at the same time, so a tenant change is not just a configuration update.

Tenant design determines how authentication requests are resolved, where secrets and certificates are associated, and how inbound or outbound federation is trusted. That makes tenant-aware governance a prerequisite for safe migrations, mergers, product rebranding, and environment consolidation. Guidance varies across vendors on whether a tenant is a hard isolation boundary or a logical partition, so practitioners should confirm which controls are actually tenant-scoped before assuming separation. This aligns with the control intent of the NIST Cybersecurity Framework 2.0, especially where identity governance and access control depend on accurate asset and trust boundary definitions.

The most common misapplication is treating a tenant as a simple label, which occurs when migration or SSO changes are made without preserving tenant-specific federation, routing, and lifecycle dependencies.

Examples and Use Cases

Implementing tenant separation rigorously often introduces administrative overhead, requiring organisations to weigh stronger isolation and cleaner governance against more complex migration, support, and automation work.

  • A SaaS provider assigns each enterprise customer its own tenant so domains, SAML metadata, and admin roles do not collide during onboarding or offboarding.
  • An organisation merges subsidiaries and must map legacy identity providers into separate tenants before consolidating reporting or policy inheritance.
  • A security team rotates service account credentials inside one tenant without affecting others, because secrets, apps, and federation links are tenant-scoped.
  • A platform team uses tenant-level routing to ensure an AI agent or integration only reaches the customer environment it was approved for, not a shared default.
  • During a migration, engineers validate tenant-specific trust first, because a global cutover can break federation even when users and groups look identical on paper.

For broader NHI governance context, the Ultimate Guide to NHIs is useful for understanding why tenant-aware lifecycle handling matters across the full identity estate. Standards-oriented teams often compare tenant scoping with the boundary and trust concepts in NIST Cybersecurity Framework 2.0 when designing shared-platform controls.

Why It Matters in NHI Security

Tenant mistakes can turn routine administration into a security incident. If the wrong tenant is targeted, access reviews may miss privileged service accounts, federation trust can be pointed at the wrong issuer, and secrets can be exposed across customer boundaries. That is especially dangerous in environments where service identities, API keys, and automation agents inherit permissions from tenant configuration rather than from a central global policy. NHI Mgmt Group research shows that 97% of NHIs carry excessive privileges, which makes tenant-level control failures far more consequential than a simple user-management error.

Tenant awareness also matters for visibility. When organisations cannot tell which non-human identities belong to which customer boundary, incident response slows down and offboarding becomes incomplete. The Ultimate Guide to NHIs notes that only 5.7% of organisations have full visibility into their service accounts, which is a direct warning sign for tenant-sprawl and misplaced trust. In practice, this is where tenant becomes an operational control, not a data model detail. Organisations typically encounter tenant-related exposure only after a failed migration, at which point tenant scoping is operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-01Tenant scoping affects NHI isolation, trust boundaries, and lifecycle governance.
NIST CSF 2.0PR.AC-4Tenant-specific access control depends on accurate permissions and boundary enforcement.
NIST Zero Trust (SP 800-207)Tenant boundaries are central to Zero Trust segmentation and trust evaluation.

Enforce tenant-aware least privilege and review access by customer boundary, not global role alone.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 5, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org