NHI Compliance

Compliance Reports

Generate point-in-time compliance reports for SOC 2 audits, security reviews, and internal governance. Everything your auditor needs about non-human identity access controls, monitoring, and lifecycle management — in a single JSON document.

Team planAdmin / Owner only

Quick Start

Generate a compliance report covering the last 90 days in three ways:

CLI
# Human-readable output
secr nhi compliance

# JSON for auditors
secr nhi compliance --json > report.json

# Custom period (30 days)
secr nhi compliance --period 30 --json
Dashboard
Navigate to: NHI → Compliance tab
Select reporting period → Click "Download JSON"
API
GET /v1/nhi/:orgId/compliance/report?period=90

# Returns: ApiNhiComplianceReport JSON

What's in the Report

Each report contains 7 sections designed to map directly to SOC 2 trust service criteria and common auditor questions.

1

Identity Inventory

Complete census of every NHI in your organization.

  • Total count by type (machine token, agent, OIDC)
  • Status breakdown (active, disabled, expired, revoked)
  • Permission distribution (read vs read_write)
  • Period activity: created, revoked, and disabled counts

Auditor question: How many machine identities exist and what is their current status?

2

Access Control

Policy enforcement and least-privilege analysis.

  • Active policies and enforcement status
  • Read-only vs read-write breakdown
  • Production read-write count (high-privilege identities)
  • Conditional access usage: IP, time, and user-agent restrictions
  • Scope analysis: project-scoped, environment-scoped, or org-wide

Auditor question: Are machine credentials following least-privilege principles?

3

Lifecycle Management

Token age, expiration coverage, and rotation health.

  • Age distribution: <30d, 30-90d, 90-180d, >180d
  • Expiration coverage percentage
  • Average and oldest active token age
  • Tokens rotated within the reporting period

Auditor question: Are credentials being rotated regularly? Do they have expiration dates?

4

Monitoring & Detection

Anomaly detection metrics and response times.

  • Total anomalies by type (volume spike, new source, unusual time, new secret access)
  • Severity distribution (low, medium, high, critical)
  • Acknowledgement rate (%)
  • Mean Time to Acknowledge (MTTA) in hours
  • Active behavioral baselines count

Auditor question: Is unusual activity being detected and investigated promptly?

5

Posture Score

Overall security health score with dimensional breakdown.

  • 0-100 overall score
  • 5 dimensions: Ownership, Staleness, Privilege, Rotation, Expiration
  • Per-dimension issues list
  • Actionable recommendations

Auditor question: What is the overall security posture of machine identities?

6

Credential Audit

External credentials stored in secr and their rotation status.

  • Total secrets vs recognized external credentials
  • Overdue-for-rotation count
  • Breakdown by category (cloud, payment, database, email, etc.)

Auditor question: Are third-party credentials being rotated per vendor recommendations?

7

Audit Trail Summary

NHI activity in the audit log during the reporting period.

  • Total NHI-attributed events
  • Events by action type
  • Unique NHI actors and IP addresses
  • Top 5 most active NHI actors
  • Access denied events

Auditor question: What have machine identities been doing and from where?

SOC 2 Mapping

The report sections map directly to SOC 2 Type II trust service criteria:

SOC 2 CriterionReport Section
CC6.1 - Logical access controlsIdentity Inventory, Access Control
CC6.2 - Credential managementLifecycle Management, Credential Audit
CC6.3 - Access removalIdentity Inventory (revoked/disabled counts)
CC7.2 - System monitoringMonitoring & Detection
CC7.3 - Incident responseMTTA, Acknowledgement Rate
CC8.1 - Change managementAudit Trail Summary

Anomaly Detection

The compliance report draws on secr's continuous anomaly detection engine. secr builds behavioral baselines for each NHI entity and flags deviations automatically.

Volume spike

Medium-High

Request count exceeds 3x the baseline maximum

New source

Medium-High

Request from an IP or user agent never seen before

Unusual time

Low-Medium

Activity outside the entity's normal operating hours

New secret access

Medium

Entity accessed a secret key it has never read before

When anomalies are detected, they appear in the dashboard and can be acknowledged by admins — creating an audit trail of incident investigation. The compliance report aggregates acknowledgement rate and Mean Time to Acknowledge (MTTA) as key incident response metrics.

Reporting Period

The period parameter controls how far back the report looks. It affects:

  • Identities created, revoked, or disabled “in period”
  • Rotation statistics (tokens revoked within the window)
  • Audit trail event filtering

Valid range: 1-365 days. Default: 90 days. Values outside this range are clamped automatically. Common choices:

30d

Monthly review

90d

Quarterly audit (default)

365d

Annual compliance

Report Structure

The JSON report follows the ApiNhiComplianceReport schema:

Report JSON (abbreviated)
{
  "generatedAt": "2026-03-21T12:00:00.000Z",
  "orgId": "uuid",
  "reportPeriodDays": 90,
  "periodStart": "2025-12-21T12:00:00.000Z",
  "periodEnd": "2026-03-21T12:00:00.000Z",

  "identityInventory": {
    "totalIdentities": 18,
    "byType": { "machine_token": 12, "agent": 4, "oidc": 2 },
    "byStatus": { "active": 14, "disabled": 2, "revoked": 2 },
    "createdInPeriod": 5,
    "revokedInPeriod": 2,
    ...
  },
  "accessControl": {
    "policyCount": 3,
    "enforcedPolicyCount": 2,
    "leastPrivilegeAnalysis": { "readOnly": 10, "readWrite": 4, "productionReadWrite": 1 },
    ...
  },
  "lifecycleManagement": {
    "tokenAgeDistribution": { "under30d": 5, "d30to90": 4, "d90to180": 3, "over180d": 2 },
    "expirationCoverage": 86,
    ...
  },
  "monitoringDetection": {
    "anomalyTotal": 7,
    "acknowledgementRate": 85,
    "meanTimeToAcknowledgeHours": 2.5,
    ...
  },
  "postureScore": {
    "overallScore": 78,
    "dimensions": [ ... ],
    "recommendations": [ ... ]
  },
  "credentialAudit": { ... },
  "auditTrailSummary": { ... }
}

Prerequisites

Team plan or above

Compliance reports require the NHI Anomaly Detection feature, available on Team ($14/seat/mo) and Enterprise plans.

Admin or Owner role

Only org admins and owners can generate compliance reports. Developer-role users receive a 403 error.

NHI entities

The report generates valid output even with zero entities, but it's most useful once you have machine tokens, agents, or OIDC identities configured.

Audit-ready in minutes

Stop assembling evidence manually. Generate a complete NHI compliance report with one command.

Get StartedNHI Overview