NHI Lab — Use-Case Overview

The four use cases

Four use cases, each tied to a measurable outcome. Four further use cases — the agentic, data-posture, resilience, and value dimensions — are on the roadmap; see Future expansion below.

UC-01 · Foundry

NHI / HI Data Foundry

Generate every identity type from the taxonomy as repeatable test data — the canonical substrate every UC and every vendor adapter runs against.

Outcome: a controlled, repeatable identity population that lets us run identical data through any vendor and prove coverage honestly.

UC-02 · Discover

Discover & Risk-Score

Find every NHI across cloud, code, secrets, workload, agentic, and SaaS surfaces. Risk-score each. Run the bake-off — same data, every vendor, what each sees vs misses.

Outcome: a single inventory, owner-attributed and risk-ranked, with an honest vendor-coverage matrix.

UC-03 · Govern

Govern Lifecycle

Joiner / mover / leaver for non-humans. Rotate, federate, certify, deprovision — plus the marquee “zero-secrets” federated-credential migration.

Outcome: every NHI has an owner, a purpose, a lifecycle — and a clean teardown when it ends.

UC-04 · Comply

Compliance & AI-Act Reporting

Map NHI / agent controls to SOC 2, PCI, NIST, ISO. Package auditor-ready attestation. Produce evidence supporting EU AI Act control mapping. Board / regulator reporting view.

Outcome: compliance as a live signal that auditors can verify, not a quarterly scramble.

Tranche 1

Tools & Plan

The foundation tools and the Jun–Sep delivery plan — what we build first.

Foundation tools — UC coverage

Each foundation tool with the use cases it participates in. The detailed per-NHI coverage matrix lives on the Tools page.

Foundation

Tools we implement first

Tool	Use cases covered
Microsoft Entra ID	UC-01 Foundry · UC-02 Discover · UC-03 Govern · UC-04 Comply (Entra ID Governance)
Saviynt	UC-02 Discover · UC-03 Govern · UC-04 Comply
CyberArk	UC-02 Discover · UC-03 Govern · roadmap: Authorize, Detect
Microsoft Purview	UC-01 Foundry · UC-04 Comply · roadmap: DSPM
Microsoft Defender	UC-02 Discover (partial) · roadmap: DSPM, Detect
Symmetry Data Guard	UC-02 Discover (strong) · roadmap: DSPM
Microsoft Intune	UC-01 Foundry (device / posture context)

Implementation direction. Phase 1 deploys the Tier 1 (AI / agentic) priority NHIs using the foundation tools above. See the NHI × Tool matrix on the Tools page for per-NHI coverage. Inline roadmap: notes mark use cases a vendor will add as the program matures — see Future expansion below.

Delivery plan — Jun–Sep 2026

A high-level work-breakdown for the four use cases on the foundation tools, across eight two-week increments. A demo ships at the end of every sprint. Core team is small (2–3 people); sequencing favours one UC at a time with compliance evidence captured continuously. The full task-level playbook lives in the god-mode build notes.

June

July

August

September

S1 · Jun 1

S2 · Jun 15

S3 · Jul 1

S4 · Jul 15

S5 · Aug 1

S6 · Aug 15

S7 · Sep 1

S8 · Sep 15

UC-01Foundry — seed dataset

Generate NHI / agent population

UC-02Discover & risk-score

Live discovery + bake-off

UC-03Govern (JML)

Ownership, certify, deprovision

UC-04Comply & report

Controls map + evidence pack

CROSSEvidence + hardening

Continuous evidence capture · demo polish

Demo cadence

✦

UC-01 · Foundry (Jun) — the substrate everything runs on.
- Synthetic NHI + AI-agent population generator (Tier-1 priority types first)
- Seed Microsoft Entra Agent ID; tag owners & risk attributes
- Demo: generate and populate a realistic identity estate on command
UC-02 · Discover (Jul) — the marquee bake-off.
- Live discovery + risk-scoring via Entra + Defender; coverage matrix vs simulated vendors
- Demo: one dataset, every tool — what each sees vs misses
UC-03 · Govern (Aug) — close the ownership / lifecycle gap.
- Joiner / mover / leaver for NHIs & agents; certification; clean deprovision (Entra ID Governance live; Saviynt simulated)
- Demo: every NHI gets an owner, a purpose, and a teardown
UC-04 · Comply (Sep) — make it audit-ready.
- Map controls to SOC 2 / NIST / ISO / EU AI Act; Purview audit evidence; reporting view
- Demo: auditor-ready attestation pack generated from the lab

What we need to start. Live Microsoft Entra + Defender (admin consent + Graph scopes for workload / Agent ID + Defender security signals). Request Microsoft Intune (device / posture context for UC-01 / UC-04). Simulate CyberArk · Saviynt · Symmetry until vendor access lands — built behind the vendor-proxy so each flips to live without rework.
To complete: admin consent signed off, a stable demo tenant, and one decision — agent framework for the demo agents (defaulting to Microsoft Agent Framework, since that surface is live).

Tranche 2

Tools & Scope

Extension tools and the broader use-case scope — later phases, after the foundation lands.

Extension tools — future phases

Additional tools evaluated for later phases, with the use cases they participate in.

Later

Extension tools

Tool	Use cases covered
ServiceNow (+ Veza)	UC-01 Foundry · UC-02 Discover · UC-03 Govern · UC-04 Comply
SailPoint	UC-02 Discover · UC-03 Govern · UC-04 Comply
Okta	UC-01 Foundry · UC-02 Discover · UC-03 Govern
Oasis Security	UC-02 Discover · UC-03 Govern
Entro Security	UC-02 Discover
Delinea (+ StrongDM)	UC-03 Govern
Astrix Security	UC-02 Discover

Future expansion

Four further use cases on the roadmap — they light up as the program matures.

Authorize (Agentic)
- Per-request authorization for AI agents — MS Agent Framework · AWS Bedrock · Gemini
- Delegation, session isolation, and sub-agent containment
DSPM Bridge
- Correlate agent → data → classification → posture drift
- CISO-ready timeline with remediation tickets
Business Value Assessment
- Full-AI / Full-HIL / Hybrid trade-off across Cost · Risk · Throughput
- Board-ready ROI with CFO / CISO / COO sliders
Agentic Resilience
- Credential-misuse, anomaly, secret-leak & lateral-movement detection
- Automated containment with MTTD / MTTC measured