Imagine I have a view that takes a model of type employee. Employee is defined like so: Employee{ ID int, Employee Name string } If I wanted to update an employee in the database I have to pass the model to the action. UpdateEmployee(Employee emp) Defining the employee ID in a hidden field would be a security risk wouldn't it? Someone could easily go into the inspector and pass whatever ID they like and the information will be updated for that employee.