NHI
A non-human identity (NHI) — any digital identity that is not a person, such as a service account, machine credential, secret, OAuth app, bot, certificate, API key, webhook, or CI/CD identity. NHIs are typically used by software, automation, or workloads to access systems and services.
NHI properties
| Property | Type | Description | Specifications |
|---|---|---|---|
aiConfidence | string | Confidence that this NHI is AI-related. 'confirmed' = signed evidence; 'high'/'medium'/'low' = heuristic strength. | enum: confirmed, high, medium, low |
aiPlatform | string | The AI platform or vendor this NHI belongs to (e.g. 'openai', 'anthropic', 'google-vertex'). Open string — new platforms appear constantly. | |
isAi | boolean | Whether this NHI is associated with an AI agent, model, or AI-powered workload. | |
nhiOwnerStatus | string | Ownership state used by governance triage workflows. | enum: assigned, unassigned, orphaned |
nhiType | string | The category of non-human identity. | enum: service_account, credential, secret, oauth_app, bot, certificate, api_key, webhook, ci_cd_identity, service_linked_role, service_role, workload_identity, ci_cd_role, cross_account_role, sso_role, federated_role, iam_role |
owner | string | Identifier of the human or team responsible for this NHI (e.g. email, team handle, employee ID). Free-form string — owner-resolution conventions are integration-specific. |
Inherited properties
| Property | Type | Description | Specifications |
|---|---|---|---|
_class * | string | array of strings | One or more classes conforming to a standard, abstract security data model. For example, an EC2 instance will have '_class':'Host'. | |
_key * | string | An identifier unique within the scope containing the object. For example, for a Bitbucket repo, this will be the GUID of the repo as assigned by Bitbucket. For an IAM Role, this will be the ARN of the role. | minLength: 10 |
_type * | string | The type of object, typically reflecting the vendor and resource type. For example, 'aws_iam_user'. In some cases, a system knows about a type of entity that other systems know about, such as 'user_endpoint' or 'cve'. | minLength: 3 |
displayName * | string | Display name, e.g. a person's preferred name or an AWS account alias | |
name * | string | Name of this entity | |
active | boolean | Indicates if this entity is currently active. | |
classification | string | null | The sensitivity of the data; should match company data classification scheme Examples: critical, confidential, internal, public | |
complianceStatus | number | The compliance status of the entity, as a percentage of compliancy. | minimum: 0, maximum: 1 |
createdBy | string | The source/principal/user that created the entity | |
createdOn | number | The timestamp (in milliseconds since epoch) when the entity was created at the source. This is different than _createdOn which is the timestamp the entity was first ingested into JupiterOne. | Format: date-time |
criticality | integer | A number that represents the value or criticality of this entity, on a scale between 1-10. | minimum: 1, maximum: 10 |
deletedBy | string | The source/principal/user that deleted the entity | |
deletedOn | number | The timestamp (in milliseconds since epoch) when the entity was deleted at the source. | Format: date-time |
description | string | An extended description of this entity. | |
discoveredBy | string | The source/principal/user that discovered the entity | |
discoveredOn | number | The timestamp (in milliseconds since epoch) when the entity was discovered. | Format: date-time |
expiresOn | number | If the entity is a temporary resource, optionally set the expiration date. For example, the expiration date of an SSL cert. | Format: date-time |
id | string | array | Identifiers of this entity assigned by the providers. Values are expected to be unique within the provider scope. | |
notes | array of strings | User provided notes about this entity | |
public | boolean | Indicates if this is a public-facing resource (e.g. a public IP or public DNS record) or if the entity is publicly accessible. Default is false. | |
risk | integer | The risk level of this entity, on a scale between 1-10. | minimum: 1, maximum: 10 |
status | string | Status of this entity set by the external source system or by a user, e.g. Active, Inactive, Decommissioned Examples: active, inactive, suspended, terminated, open, closed, pending, unknown, other | |
summary | string | A summary / short description of this entity. | |
tags | array of strings | An array of unnamed tags | |
temporary | boolean | Indicates if this node is a temporary resource, such as a lambda instance or an EC2 instance started by ECS. | |
trust | integer | The trust level of this entity, on a scale between 1-10. | minimum: 1, maximum: 10 |
trusted | boolean | Indicates if this is a trusted resource. For example, a trusted Network, Host, Device, Application, Person, User, or Vendor. | |
updatedBy | string | The source/principal/user that updated the entity | |
updatedOn | number | The timestamp (in milliseconds since epoch) when the entity was last updated at the source. | Format: date-time |
validated | boolean | Indicates if this node has been validated as a known/valid Entity. | |
webLink | string | Web link to the source. For example: https://console.aws.amazon.com/iam/home#/roles/Administrator. This property is used by the UI to add a hyperlink to the entity. | Format: uri |
Required properties
_key_class_typenamedisplayName