Subscribe to the Non-Human & AI Identity Journal
Home Glossary Governance, Ownership & Risk Values-driven IT
Governance, Ownership & Risk

Values-driven IT

← Back to Glossary
By NHI Mgmt Group Updated June 11, 2026 Domain: Governance, Ownership & Risk

An operating model for IT and identity support that prioritises employee success, trust, and long-term enablement alongside control. It treats service quality as part of governance, not as a separate customer-service function. The practical test is whether users can follow approved identity processes without feeling obstructed or adversarially managed.

Expanded Definition

Values-driven IT is an operating model that treats service quality, dignity of users, and long-term enablement as governance outcomes, not soft extras. In NHI and identity operations, it means controls are designed so approved processes are usable, explainable, and proportionate rather than merely restrictive.

The concept overlaps with service management, security governance, and employee experience, but it is not the same as relaxed control. A values-driven approach still enforces least privilege, logging, and review, yet it asks whether the path to compliance is realistic for engineers, operators, and business teams. That distinction matters because brittle workflows often create shadow processes, weak exception handling, and unsafe workarounds. Guidance across NIST Cybersecurity Framework 2.0 supports outcomes-based governance, but definitions vary across organisations on how far “user-centric” design should extend inside security operations.

The most common misapplication is treating values-driven IT as a branding exercise, which occurs when teams add friendlier language but keep the same obstructive approval chains and manual exceptions.

Examples and Use Cases

Implementing values-driven IT rigorously often introduces a tension between user convenience and control depth, requiring organisations to weigh faster adoption against stricter review and traceability.

  • Replacing blanket access denials with time-bound approvals for developers who need production diagnostics, while still enforcing NIST Cybersecurity Framework 2.0-aligned access review.
  • Designing service-account onboarding so teams can request credentials through a clear workflow instead of storing them in ad hoc locations, a pattern discussed in Ultimate Guide to NHIs.
  • Creating incident response runbooks that explain why token rotation, key revocation, and MFA resets happen, reducing friction during recovery and improving follow-through.
  • Standardising exception handling so a short-lived business need does not become a permanent access entitlement after the original request expires.
  • Using service feedback from engineers and operators to simplify identity workflows that are technically compliant but operationally unworkable.

These use cases are most effective when the organisation makes the approved path easier than the risky path, rather than relying on policy language alone. The result is fewer bypasses, less resentment, and stronger identity hygiene across both human and non-human workflows.

Why It Matters in NHI Security

Values-driven IT matters because identity controls fail when people cannot or will not use them. In NHI environments, excessive friction pushes teams toward hard-coded secrets, unmanaged credentials, and informal approvals, which is exactly where exposure tends to grow. NHIMG reports that 96% of organisations store secrets outside secrets managers in vulnerable locations, and 68% do not know how to fully address NHI risks, a combination that shows how usability gaps become security gaps. The Ultimate Guide to NHIs is clear that operational sprawl is not just a tooling problem; it is a governance problem.

Values-based design also supports the intent of the NIST Cybersecurity Framework 2.0, where resilient processes should be repeatable and measurable. When identity journeys are hostile, users delay rotations, skip cleanup, or route around controls, and the organisation inherits hidden privilege, stale tokens, and poor auditability. Organisational trust erodes quickly when security is experienced as arbitrary rather than protective. Organisations typically encounter the cost only after a failed audit, a leaked secret, or a production incident, at which point values-driven IT becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-01Values-driven IT reduces the friction that leads to secret sprawl and unsafe workarounds.
NIST CSF 2.0GV.OC-01Governance outcomes should include usable, trustworthy identity operations for staff.
NIST AI RMFHuman-centered risk management emphasizes trust, transparency, and operational impact.

Assess whether security controls support safe use, clear accountability, and sustainable adoption.

Deepen Your Knowledge

Ultimate Guide to NHIs → NHI Foundation Course → Discussion Forum →
NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.