How Graph Fibrations Revolutionize Non-Human Identity Management in Modern Clouds
Back to all posts

How Graph Fibrations Revolutionize Non-Human Identity Management in Modern Clouds

4 min read
#cloud security #IAM

Introduction

The recent paper Non Human Identities Management using Fibrations in Azure, GCP and AWS by Christophe Parisel provides a groundbreaking approach to managing the escalating complexity of Non-Human Identities (NHIs) in enterprise cloud environments. NHIs—such as service principals, managed identities, and service accounts—now outnumber human identities, creating sprawling permission graphs that traditional IAM and CIEM systems struggle to scale.

Why managing NHIs demands new thinking

Parisel’s work highlights the fundamental challenge: native cloud IAM graphs grow super-linearly with NHIs and are optimized for transactional APIs, not the analytical queries security teams need for risk assessment and governance. This leads to issues like:

  • Orphaned or overprivileged NHIs accumulating unnoticed.
  • Native APIs offering limited querying capabilities for permission audits.
  • Disparate cloud providers (Azure, AWS, GCP) with isomorphic but syntactically different IAM graph structures.

Industry trends also recognize this complexity with terms like Machine Identity Management (MIM) and Non-Human Identity Management (NHIM), all pointing toward a need for scalable and automated governance beyond legacy identity paradigms.

Enter the power of graph fibrations

Parisel introduces graph fibrations, a mathematically rigorous method to compress IAM graphs by grouping principals with equivalent permission profiles—called “fibers”—while preserving key security semantics such as permission blast radius and hierarchical scope awareness. The method:

  • Abstracts resource scopes to hierarchy depth levels (e.g., subscription, resource group), ignoring specific identifiers.
  • Maps principals to sets of (role, depth) pairs representing effective permissions.
  • Uses an algorithm (Fast Fibration Partitioning) to partition this bipartite principal-permission graph into equivalence classes.

This yields compression ratios up to 25:1 in large enterprises, massively reducing audit and remediation scope without loss of fidelity.

Why depth abstraction matters

Ignoring exact scope IDs but preserving their depth captures actual risk: a principal with Owner rights on a whole subscription presents a different risk profile than one with Owner rights on a single resource group. Parisel’s abstraction enables grouping all functionally identical principals together, even across hundreds of replicated environments.

Bridging theory with practice

The paper also describes production-ready open-source tools—Azure Silhouette and fastFibration—that implement this approach for Azure environments, enabling rapid IAM graph enrichment, group expansion, and fibration computation.

Positioning fibrations in the broader ecosystem

Compared to commercial CIEM and NHIM platforms (e.g., by IBM, Wiz, CrowdStrike), which emphasize behavioral telemetry and visualization, graph fibrations offer a complementary structural compression and equivalence layer anchored in formal graph theory. This foundational step is critical for scalable multi-cloud governance and consistent risk analytics.

What it means for security teams

By adopting fibrations, security teams can:

  • Manage “monster fibers” with thousands of similar identities en masse.
  • Detect unique singletons indicating anomalous or risky NHIs.
  • Track permission drift longitudinally via fiber membership changes.
  • Harmonize governance across Azure, AWS, and GCP using a common hierarchical scope abstraction.

As NHIs rapidly multiply with AI workloads and automation, Parisel’s work paves a practical path to tame this complexity and safeguard cloud estates at scale.

Noteworthy Resources