Subnet345

Glossary

What is non-human identity?

Non-human identity, or NHI, refers to the credentials and machine identities under which non-human actors (agents, services, scripts, automation) act on systems.

§ 01 Definition

Two complementary disciplines.

Non-human identity, or NHI, refers to the credentials and machine identities under which non-human actors (agents, services, scripts, automation) act on systems. NHI management is a discipline in its own right: discovery, rotation, scoping, lifecycle, secret hygiene. Specialist platforms exist to do that work.

Audit trail of what NHI did is a different problem. NHI management answers who or what holds the credential; audit trail of what NHI did answers what the credential was used to do, against which policy, with what outcome. The two disciplines are complementary, not substitutable. Subnet345's substrate produces the action-side record. It does not replace NHI management; it consumes the NHI as the identifier of the actor.

§ 02 Questions

Non-human identity, answered.

How does NHI management differ from agent audit trail?

NHI management governs the credential lifecycle: discovery, rotation, scoping, revocation, secret storage. Agent audit trail governs the action lifecycle: what was done under the credential, against which policy, with what outcome. NHI management answers who holds the keys; the audit trail answers what they did with the keys. Both are necessary; neither replaces the other.

Does Subnet345 manage non-human identities?

No. NHI management is a distinct category, and specialist platforms exist for it. Subnet345's substrate consumes the NHI as the identifier of the agent acting and produces the durable, attributable, tamper-evident audit trail of what that agent did. The integration shape is straightforward: the NHI management platform owns the credential; the substrate owns the record of the credential's action against your policy.

Which regulatory frames touch NHI and agent audit trail?

Frames that expect attribution touch both. SR 26-2 presupposes the operator can identify the actor and prove what the actor did. NERC CIP's electronic access controls are NHI-adjacent; its documentation expectations are audit-trail-adjacent. The EU AI Act and DORA presuppose an attributable record of agent actions, which presumes a stable identifier for the agent. NHI management produces the identifier; the substrate produces the trail.

§ 03 Related

Where the term lives.

Regulatory frames

NERC CIPNIST AI RMFEU AI ActDORA

Who holds the credential is one question. What they did with it is the other.

Become a design partner →Compliance overview →