Adaptive identity governance for higher education NHI risk

At a glance

What this is: This blog argues that higher education’s openness creates identity risk when access is not continuously governed across students, staff, collaborators, and AI agents.

Why it matters: It matters because universities need to preserve academic flexibility while preventing over-permissioned NHI and human access from becoming the primary breach path.

By the numbers:

• NHIs outnumber human identities by 25x to 50x in modern enterprises.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.

👉 Read SailPoint's analysis of adaptive identity risks in higher education

Context

Higher education identity risk starts with a basic governance mismatch: institutions are built for openness, but identity controls are often built for stable employee populations. Universities instead manage constant onboarding and offboarding, overlapping roles, external collaborators, and increasingly non-human identities. That creates a first-order NHI governance problem, because access can remain valid long after the reason for it has ended.

The article’s central claim is that identity security has moved from administration to strategy, especially where AI agents, contractors, and visiting researchers share the same access fabric. That is typical of campus environments, not an edge case, which is why manual approvals and local exceptions fail at scale. The operational question is whether institutions can prove access is still justified at the moment it matters.

Key questions

Q: How should universities govern non-human identities without slowing collaboration?

A: Universities should govern non-human identities by tying every credential to an owner, purpose, and expiry condition. Collaboration stays intact when access is granted quickly but reviewed continuously, with automated revocation when the task or affiliation ends. The goal is not fewer collaborators, but fewer credentials that survive beyond need.

Q: Why do shared accounts create such a large security problem in higher education?

A: Shared accounts remove attribution, weaken accountability, and make it hard to prove whether access is still legitimate. In higher education, they become especially risky because labs, research groups, and specialist systems often rely on them for convenience. That convenience hides misuse until after the damage is done.

Q: What is the difference between access review and lifecycle governance for NHI risk?

A: Access review checks whether permissions still look reasonable at a point in time, while lifecycle governance manages the entire identity from creation to offboarding. For NHI risk, lifecycle governance is stronger because it catches stale credentials, expired projects, and forgotten service accounts before they become long-lived exposure.

Q: When should institutions treat AI agents as identities rather than tools?

A: Institutions should treat AI agents as identities when the agent can authenticate, call APIs, move data, or take action without a person supervising each step. At that point, the agent affects access decisions and must be governed with the same ownership, logging, and revocation discipline as other non-human identities.

Technical breakdown

Why campus identity sprawl creates persistent NHI risk

Higher education environments accumulate identities faster than most sectors because affiliation changes are frequent and access needs vary by project, term, and research group. Non-human identities make this harder because service accounts, scripts, and AI agents rarely leave clean offboarding trails. Once access is granted through a shared process, it can persist even after the task ends, the student graduates, or the external collaborator departs. The result is not just more identities, but more unowned access paths that are difficult to review, revoke, or explain during an incident or audit.

Practical implication: Map all identities to a lifecycle owner and require every account, token, or agent to have an explicit expiry condition.

How fragmented governance turns access by proxy into exposure

A fragmented model appears when central teams approve access but local teams maintain it inside individual applications. That creates access by proxy, where the approval path is separated from the enforcement path. In practice, the institution may know a user was entitled to access once, but not whether that access still matches role, project, or risk. This becomes especially dangerous for NHI governance because machine credentials are often embedded in tooling or delegated to teams outside central identity oversight. The technical failure is not only visibility, but the absence of authoritative lifecycle synchronization across systems.

Practical implication: Integrate authoritative sources and application controls so entitlement changes propagate automatically across the campus stack.

Why least privilege must extend to AI agents and shared accounts

Least privilege is straightforward in theory but hard in higher education because shared lab logins, temporary project roles, and autonomous agents all blur accountability. Shared accounts remove attribution, while AI agents can execute actions with permissions wider than the original human requester intended. This creates a wide identity blast radius when credentials are reused or embedded in workflows. The governance issue is not just who can log in, but what can be done once the credential is active. In NHI terms, the danger grows when static access is treated as operational convenience instead of an exposure multiplier.

Practical implication: Replace communal access with named identities, scoped entitlements, and task-limited credentials wherever the workflow allows.

Threat narrative

Attacker objective: The objective is to exploit trusted campus identity relationships to reach sensitive research, student, or administrative data without needing noisier exploit chains.

1. Entry occurs when attackers abuse legitimate credentials from a student, contractor, researcher, or over-permissioned non-human identity.
2. Escalation follows when role sprawl, stale access, or shared accounts allow the attacker to move into broader institutional systems without triggering perimeter defenses.
3. Impact comes when the attacker accesses research, teaching, or administrative systems as an insider, making detection and containment slower.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Adaptive identity is now the correct control model for higher education. Static rules fail when access changes every term, every project, and every collaboration cycle. Universities need governance that responds to affiliation, risk, and task context, not just initial approval. The practitioner conclusion is simple: if access cannot adapt, it will drift into exposure.

Higher education now has an identity blast radius problem, not just an access review problem. Once shared accounts, AI agents, and external collaborators are all part of the same environment, one stale entitlement can affect multiple systems and functions. That makes visibility and offboarding more valuable than more approval layers. The practical takeaway is to reduce the number of credentials that can outlive their purpose.

Shadow AI should be treated as an NHI governance issue, not a separate innovation issue. If unsanctioned tools or autonomous agents can move documents, call APIs, or act on behalf of staff, they are participating in the identity plane. That widens the control surface beyond traditional IAM reviews and into runtime governance. The practitioner conclusion is to inventory AI usage the same way you inventory other non-human identities.

Campus openness and security are not opposites when lifecycle controls are precise. The sector does not need blanket restriction to reduce risk. It needs continuous entitlement validation, authoritative sources, and immediate deprovisioning when roles end. The conclusion for practitioners is to preserve collaboration while tightening the identity controls behind it.

Identity governance is now a resilience function for universities. When identity breaks, teaching, research, compliance, and reputation all fail together. That means IAM and NHI controls should be measured as operational resilience, not only as security hygiene. The practitioner conclusion is to elevate identity governance into executive risk management.

From our research:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
• For a broader lifecycle view, NHI Lifecycle Management Guide shows how provisioning, rotation, and offboarding should work together.

What this signals

Campus identity programmes should expect NHI scope to keep expanding as AI usage spreads into teaching, administration, and research. With 96% of organisations storing secrets outside secrets managers in vulnerable locations including code, config files, and CI/CD tools, the operational lesson is that hidden credentials are still a normal failure mode, not an exception. Universities should therefore inventory secrets in the same control plane as user access and audit trails.

Adaptive governance is the practical response to a sector that cannot simply close itself off. The question is not whether higher education will use shared research systems or AI assistants, but whether those identities are visible and revocable. That makes lifecycle policy, not perimeter hardening, the centre of programme design. The NIST Cybersecurity Framework 2.0 remains a useful anchor for structuring govern and protect activities around identity.

NHI blast radius will be the deciding metric for many campus programmes. NHIs outnumber human identities by 25x to 50x in modern enterprises, so a small amount of unmanaged access can scale quickly across research, teaching, and operations. Security teams should use that ratio to justify prioritising inventory, owner assignment, and rapid revocation before expanding manual review processes.

For practitioners

• Inventory all non-human identities in research and operations Create a single register for service accounts, API keys, tokens, certificates, and autonomous agents. Tie each identity to an owner, purpose, expiry condition, and system of record so hidden credentials cannot persist outside review cycles.
• Automate offboarding across academic and contractor roles Connect HR, student, and research affiliation changes to immediate deprovisioning workflows. Prioritise revocation of access that supports collaboration tools, shared repositories, and long-lived machine credentials.
• Eliminate shared accounts where attribution matters Replace communal logins in labs, libraries, and specialist systems with named identities and delegated access. If a shared account must remain, isolate it and monitor it as a high-risk exception.
• Apply task-scoped access to AI agents and scripts Treat autonomous workflows as identities with bounded permissions, logging, and expiry. Use the same review discipline for agent actions that you use for privileged human access, especially where documents or APIs are involved.

Key takeaways

• Higher education’s openness creates a predictable identity governance gap when access outlives roles and projects.
• Non-human identities and AI agents amplify that gap because they expand the number of credentials that must be owned, reviewed, and revoked.
• The practical response is adaptive lifecycle control, not blanket restriction, so universities can preserve collaboration while reducing exposure.

Key terms

• Adaptive Identity: Adaptive identity is an access model that changes entitlements based on role, context, and risk instead of leaving permissions fixed after provisioning. In higher education, it is especially useful because users change affiliations often and non-human identities need continuous lifecycle control, not one-time approval.
• Access By Proxy: Access by proxy is a governance pattern where one team approves access but another team or application actually maintains it. This creates drift between authorization and enforcement, which makes it harder to prove who has access, why they have it, and whether it should still exist.
• Shadow AI: Shadow AI is the use of AI tools or agents that are not approved, inventoried, or governed by security teams. It matters because unsanctioned AI often handles data, calls APIs, or stores credentials outside the normal identity controls that would otherwise constrain non-human access.
• Identity Blast Radius: Identity blast radius is the amount of damage that can result when one credential, account, or agent is over-permissioned or left active too long. It is a useful way to measure how much access exposure a single identity can create across systems, data, and workflows.

What's in the full article

SailPoint's full blog covers the operational detail this post intentionally leaves for the source:

• How its adaptive identity model maps students, faculty, staff, and collaborators into a single governance workflow
• The specific ways it ties access decisions to authoritative sources such as student information systems and HR platforms
• Examples of lifecycle automation for onboarding, role changes, and immediate deprovisioning
• How the vendor frames visibility and monitoring for shadow AI and non-human identities

👉 SailPoint's full blog covers the higher education identity governance model and implementation framing.

Deepen your knowledge

Adaptive identity governance for students, faculty, collaborators, and non-human identities is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for a similarly open environment, it is worth exploring.