When governance focuses only on account counts, teams miss the identities that can actually reach sensitive data or production systems. A small set of highly privileged service accounts can create far more risk than a large inventory of low-impact identities. Exposure analysis must replace raw inventory as the primary risk signal.
Why This Matters for Security Teams
Counting accounts creates a false sense of coverage because it measures inventory, not exposure. A low-volume set of service accounts, API keys, or agent identities can have direct paths to production data, deployment pipelines, and secrets. NHI Management Group notes that only 5.7% of organisations have full visibility into their service accounts, while 97% of NHIs carry excessive privileges. That gap is why raw counts routinely miss the identities that matter most.
The real governance question is which identities can reach sensitive systems, what they can do once inside, and how quickly that access can be revoked. The Ultimate Guide to NHIs shows why lifecycle controls, rotation, and offboarding matter more than inventory alone, and the NIST Cybersecurity Framework 2.0 reinforces that governance must tie assets and identities to risk outcomes. In practice, many security teams encounter the exposure problem only after a privileged token has already been used to reach production, rather than through intentional discovery.
How It Works in Practice
Effective governance starts by shifting from account counts to exposure analysis. That means mapping every non-human identity to the systems it can touch, the secrets it can use, and the privilege boundaries it crosses. Start with service accounts, CI/CD credentials, cloud roles, and agent identities, then classify them by blast radius instead of by presence in a directory.
A practical workflow usually includes four steps:
- Inventory identities, but enrich each one with owner, purpose, expiry, and connected assets.
- Measure reachability to crown-jewel data, production control planes, and secret stores.
- Flag standing privilege, long-lived secrets, and orphaned accounts for remediation.
- Review activity, not just existence, so dormant high-risk identities are not treated as harmless.
This is where NHIMG research is especially useful. The Top 10 NHI Issues and 52 NHI Breaches Analysis both show that secrets exposure and excessive privilege drive most real-world incidents. Current guidance suggests pairing that analysis with the NIST Cybersecurity Framework 2.0 to translate identity visibility into asset protection, access control, and continuous monitoring. The most useful metric is not how many identities exist, but how many can still reach something important after a compromise. These controls tend to break down when identity data is fragmented across cloud, CI/CD, and secrets tooling because no single system can show effective access end to end.
Common Variations and Edge Cases
Tighter exposure analysis often increases operational overhead, requiring organisations to balance precision against the cost of maintaining accurate identity metadata. That tradeoff matters most where infrastructure changes quickly and ownership is fluid, because stale labels can be almost as misleading as raw account counts.
There is no universal standard for this yet, but best practice is evolving in three directions. First, ephemeral identities and short-lived credentials should be treated differently from legacy service accounts because their risk changes by the minute. Second, agentic AI systems complicate the picture further: a single AI agent may chain tools, request new access at runtime, and expand its own reach in ways a count-based report will never show. The Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs is useful here because it ties visibility to rotation and offboarding rather than static inventory alone. Third, environments with shared accounts or legacy mainframes may require temporary exceptions, but those exceptions should be documented by exposure and compensating control, not by headcount.
Where organisations still rely on counts as the primary KPI, the result is usually hidden privilege sprawl, delayed revocation, and missed lateral movement opportunities.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Addresses NHI inventory and visibility gaps that count-based governance misses. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access control depends on exposure, not simple account counts. |
| NIST AI RMF | AI risk governance requires understanding real system impact from autonomous identities. |
Enrich every NHI record with owner, purpose, privilege, and expiry instead of tracking totals only.
