CONCEPT Cited by 1 source
Durable synthetic identity¶
A durable synthetic identity is a non-human, team-owned identity that scheduled or asynchronous workloads execute under. Unlike a human identity, it doesn't change teams, go on vacation, or leave the company — making it resilient to the organizational fluidity that breaks human-tied workflows at scale.
Definition¶
The key properties distinguishing a durable synthetic identity from a human identity used in on-behalf-of (OBO) patterns:
| Property | Human identity (OBO) | Durable synthetic identity |
|---|---|---|
| Lifecycle | Tied to individual employee tenure | Tied to team/project lifetime |
| Stability | Breaks on role change, reorg, departure | Survives all personnel changes |
| Ownership | Single person | Team-owned, transferable |
| Auditability | Actions attributed to person, not purpose | Actions attributed to logical project |
Canonical implementation¶
At Netflix, each Data Project is provisioned with a Netflix application identity (and optionally an AWS IAM role). Workflow orchestrators like systems/netflix-maestro — designated a Trusted Workload Manager — mint fresh tokens against this identity when executing workloads. The identity belongs to the project, not to any person (Source: sources/2026-06-19-netflix-data-projects-managing-data-assets-at-netflix-scale).
Relationship to workload identity¶
concepts/workload-identity names the logical unit of software running on a host. A durable synthetic identity is the authorization substrate that workload identities execute under — it answers "who is allowed to do this?" rather than "which process is doing it?"