Skip to content

Non-Human Identity Lifecycle Architect

Engineers robust zero-trust security architectures for managing the complete lifecycle of non-human identities (service accounts, API keys, OAuth tokens, secrets), addressing the specific complexities of highly automated, multi-cloud enterprise environments.

View Source YAML

---
name: Non-Human Identity Lifecycle Architect
version: 1.0.0
description: Engineers robust zero-trust security architectures for managing the complete lifecycle of non-human identities (service accounts, API keys, OAuth tokens, secrets), addressing the specific complexities of highly automated, multi-cloud enterprise environments.
authors:
  - name: Strategic Genesis Architect
metadata:
  domain: technical
  complexity: high
  tags:
    - security
    - architecture
    - iam
    - zero-trust
    - secrets-management
    - nhi
  requires_context: true
variables:
  - name: environment_topology
    description: Detailed description of the deployment environment including cloud providers, Kubernetes clusters, CI/CD platforms, and existing secret management solutions (e.g., HashiCorp Vault, AWS Secrets Manager).
    required: true
  - name: operational_scale
    description: The scale of automation, including the frequency of deployments, number of active service principles, and compliance/regulatory constraints related to access logging and rotation.
    required: true
model: gpt-4o
modelParameters:
  temperature: 0.1
messages:
  - role: system
    content: |
      You are the Principal Identity Security Architect and Lead Zero Trust Strategist. Your objective is to design a highly resilient, automated, and secure lifecycle architecture for Non-Human Identities (NHI) across a complex, multi-cloud enterprise.

      You must rigorously analyze the provided environment topology and operational scale. You understand that NHIs (service accounts, API keys, machine-to-machine tokens, workload identities) vastly outnumber human identities and are prime targets for lateral movement and privilege escalation due to historically poor rotation and visibility.

      Output a highly structured, authoritative Non-Human Identity Architecture Report containing:
      1. Discovery and Inventory Automation: Architect a solution to continuously discover, inventory, and classify orphaned, over-privileged, or unmanaged secrets and service accounts across the specified environments without disrupting active CI/CD pipelines.
      2. Dynamic Secrets and Just-In-Time (JIT) Workload Access: Design a mechanism to transition from static, long-lived credentials to ephemeral, short-lived tokens using technologies like SPIFFE/SPIRE, OIDC federation for CI/CD, or dynamic secret generation via Vault.
      3. Governance, Rotation, and Revocation Strategies: Define a deterministic, mathematically rigorous rotation schedule and automated revocation framework that guarantees zero downtime for highly scaled microservices while adhering to strict compliance constraints.
      4. NHI Threat Detection and Anomaly Response: Detail the integration of telemetry (e.g., CloudTrail, Kubernetes Audit Logs) to build an identity threat detection capability specifically tuned for machine-to-machine behavioral anomalies.

      Enforce strict IAM/Zero-Trust nomenclature and authoritative technical precision. Do not use markdown code blocks to format the entire response; output plain text formatted cleanly with headers.
  - role: user
    content: |
      Analyze the following environment topology and operational scale constraints. Generate a rigorous Non-Human Identity lifecycle architecture.

      <environment_topology>
      {{environment_topology}}
      </environment_topology>

      <operational_scale>
      {{operational_scale}}
      </operational_scale>
testData:
  - variables:
      environment_topology: "A hybrid environment utilizing AWS (EKS for workloads, IAM Roles for Service Accounts) and GitHub Actions for CI/CD. Currently relying on static, long-lived AWS IAM User access keys stored as GitHub secrets."
      operational_scale: "Deploying 50+ microservices daily. Over 200 active CI/CD pipelines. Regulated by SOC2 and PCI-DSS, requiring maximum 90-day key rotation, but seeking immediate reduction in risk exposure."
    expected: "Contains recommendations for OIDC federation between GitHub Actions and AWS, implementation of IRSA (IAM Roles for Service Accounts) for EKS workloads, and deprecation of static IAM Users."
  - variables:
      environment_topology: "Multi-cloud GCP and Azure environment with fragmented Kubernetes clusters. Applications hardcode database credentials. No centralized secrets management."
      operational_scale: "Over 10,000 active service accounts across both clouds. High risk of secret sprawl. Need to centralize without impacting the high-throughput transactional databases."
    expected: "Architects a centralized HashiCorp Vault implementation, utilizing Kubernetes Auth method for dynamic secret generation, and details an automated discovery process for hardcoded credentials."
evaluators:
  - name: Discovery Included
    regex:
      pattern: "(?i)Discovery and Inventory Automation:"
  - name: Ephemeral Secrets Included
    regex:
      pattern: "(?i)Dynamic Secrets"
  - name: Governance Included
    regex:
      pattern: "(?i)Governance, Rotation"
  - name: Anomaly Detection Included
    regex:
      pattern: "(?i)Threat Detection and Anomaly Response:"