AI agent and NHI governance is outpacing IAM controls

At a glance

What this is: This is a webinar preview on NHI and AI identity governance, arguing that governance has not kept pace with the scale and autonomy of non-human access.

Why it matters: It matters because IAM, PAM, IGA, and security teams now have to govern service accounts, tokens, and AI agents as first-class identities, not as leftovers from application plumbing.

By the numbers:

• Non-human identities now outnumber human ones by more than 100 to one in many enterprise environments.

👉 Register for Clarity Security's live webinar on NHI and AI identity governance

Context

Non-human identity governance is the discipline of controlling service accounts, API keys, OAuth tokens, certificates, and AI agent identities with the same rigour applied to people. The problem is scale: identity sprawl has moved faster than ownership, lifecycle controls, and review processes, so access often persists after the original purpose has faded.

This webinar frames that gap around a practical question for IAM leaders. If governance frameworks were built for human-paced approval loops and predictable account lifecycles, they struggle when machine identities are created programmatically, inherit privileges across systems, and continue operating without clear offboarding. That makes NHI governance part of core identity architecture, not a side topic.

Key questions

Q: What breaks when organisations treat non-human identities like ordinary app accounts?

A: Ownership, review, and offboarding break first. Non-human identities are created and reused in code, pipelines, and integrations, so they often persist without a clear business owner or retirement process. That leaves standing access in place long after the original use case has ended, which widens the attack surface and makes accountability difficult to prove.

Q: Why do service accounts and API keys create outsized governance risk?

A: They create outsized risk because they are easy to reuse, hard to trace, and often hold more privilege than the workload actually needs. When one credential can reach multiple systems or data sets, a single leak can become a broad access event. The risk grows further when no one is responsible for review, rotation, or removal.

Q: How do security teams know if NHI governance is actually working?

A: Look for evidence that identities are discoverable, owned, reviewed, rotated, and revoked on schedule. If teams cannot show who owns a machine identity, why it exists, and when it will be removed, governance is not operational. The clearest signal is whether access can be reduced quickly without relying on tribal knowledge.

Q: What should organisations do before expanding AI agent deployments?

A: They should define agent-specific identity controls before scaling. That means narrowing tool access, documenting delegated permissions, assigning ownership, and deciding how agent activity will be reviewed or terminated. If those controls are built after rollout, the organisation will inherit a much larger identity surface than it can govern confidently.

Background and context

Why NHI sprawl breaks traditional identity governance

Traditional identity governance assumes identities are assigned, reviewed, and retired through visible business processes. Non-human identities behave differently because they are often created in code, embedded in pipelines, or issued by platforms without a human owner watching each step. That makes discovery, ownership, entitlement review, and revocation hard to operationalise. Once access is distributed across applications and integrations, the identity estate becomes larger than the team’s control plane. The technical issue is not only volume but also traceability: many NHIs do not map cleanly to a person or business role.

Practical implication: inventory NHIs by system, owner, and purpose before trying to enforce review or rotation.

How AI agents change the identity boundary

AI agents complicate identity governance because they can act on behalf of a task, not a person, and can move between tools, data sources, and execution contexts. That means the access model is no longer just authentication plus authorisation. It becomes a question of runtime scope, delegated trust, and downstream tool exposure. If an agent can trigger actions across multiple systems, every connected secret or token becomes part of its effective identity surface. This is why agentic AI cannot be treated as a cosmetic extension of human IAM.

Practical implication: define agent-specific entitlements, approval boundaries, and tool scopes before scaling agent deployments.

What regulatory scrutiny means for NHI controls

Regulators are increasingly interested in whether organisations can demonstrate control over non-human access, not just whether credentials exist in a vault. For NHIs, that means proving who owns the identity, how access is granted, how often it is reviewed, and how quickly it is revoked when no longer needed. Governance gaps are especially visible where third-party integrations, OAuth grants, and long-lived secrets are left unmanaged. In practice, compliance pressure tends to expose the same root problem: the organisation cannot show continuous accountability for machine access.

Practical implication: align NHI controls to auditable ownership, review, and revocation evidence rather than informal operational assurances.

NHI Mgmt Group analysis

Non-human identity governance is now a core identity architecture problem, not a niche security add-on. Service accounts, API keys, tokens, and agent identities now sit inside the same access graph as human users, but they are created and consumed at machine speed. That means traditional IGA and PAM assumptions about ownership, review cadence, and offboarding no longer hold cleanly. Practitioners should treat NHI governance as a baseline control plane, not a special case.

Identity blast radius is the right named concept for this problem. The more NHIs accumulate across pipelines, integrations, and AI workflows, the larger the effective blast radius becomes even when individual credentials look low-risk. A single forgotten token can inherit trust from multiple systems, third-party connections, and automation paths. The implication is that identity risk is no longer defined by one credential at a time but by the connected surface it can traverse.

AI agents force governance teams to confront delegated access without human pacing. The governance model was designed for identities whose purpose, owner, and access duration are usually knowable in advance. That assumption breaks when the actor is an AI agent because the same identity can select actions, invoke tools, and continue execution without human review between steps. Practitioners must stop assuming that standard certification cycles can observe what agentic behaviour completes in-session.

Most organisations are still underestimating how much of their identity estate is already non-human. The article’s claim that NHIs outnumber human identities by more than 100 to one aligns with the broader pattern we see across machine identity programmes: discovery always lags creation. When scale outruns governance, the failure is not just missing inventory. It is the absence of a workable operating model for ownership, lifecycle, and accountability.

Regulatory pressure will increasingly expose evidence gaps rather than policy gaps. Many teams already have policies that mention machine identities, but far fewer can prove revocation, rotation, and review in a way auditors can follow. That is where scrutiny lands first: on whether the organisation can show continuous control over non-human access across its lifecycle. Practitioners should expect governance maturity to be measured by proof, not intent.

From our research:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• To go deeper: Review 52 NHI Breaches Analysis to see how unmanaged machine access turns into real-world compromise patterns.

What this signals

Identity teams should expect machine access to become the default governance burden. As AI agents, service accounts, and integration tokens multiply, the practical question is no longer whether to govern NHIs but how quickly the organisation can build a usable control plane around them. Teams that still rely on informal ownership will see review and revocation lag behind creation.

Identity blast radius will become a more useful planning concept than raw credential count. The issue is not only how many machine identities exist, but how far each one can reach across tools, data, and third-party connections. That is where programmes should focus their next round of risk reduction.

If your programme already depends on the Ultimate Guide to NHIs for baseline governance, the next step is to map those controls into operating evidence. Discovery without revocation proof will not satisfy internal risk teams, and it will not hold up well as scrutiny around machine access increases.

For practitioners

• Inventory non-human identities by owner and purpose Build a register that separates service accounts, API keys, OAuth grants, certificates, and AI agent identities by business owner, technical owner, and expiry date. Without that split, review and offboarding become guesswork.
• Map agent permissions to task-specific scopes For any AI agent in production, define the exact tools, data sources, and execution boundaries it may use, then block anything outside that task scope. Treat agent access as a time-bound delegated control, not a standing entitlement.
• Shorten credential lifecycle for machine access Rotate or revoke long-lived machine credentials on a schedule tied to business need, not convenience. Where rotation is difficult, prioritise removal of unused identities and elimination of secrets embedded in code, config, or CI/CD systems.
• Evidence ownership and revocation for audits Make sure every non-human identity has a named accountable owner, a documented purpose, and a revocation path that can be demonstrated on request. Auditors will care less about policy language than about proof that access can be removed quickly.

Key takeaways

• NHI governance is now a first-order identity problem because machine accounts are multiplying faster than teams can track or retire them.
• The scale of the issue is already measurable, with enterprise environments reporting machine identities that far exceed human identities.
• Practical control now depends on ownership, scoped access, and provable lifecycle management for every non-human identity.

Key terms

• Non-Human Identity: A non-human identity is any machine or software identity used to authenticate and authorise access, including service accounts, API keys, tokens, certificates, workloads, and AI agents. It requires lifecycle control, ownership, and revocation just like human access, but it is created and consumed at machine speed.
• Identity Blast Radius: Identity blast radius is the amount of access damage an identity can create if it is misused, compromised, or over-privileged. In NHI environments, it is shaped by connected systems, delegated trust, third-party exposure, and whether the credential can reach more than one workload or data domain.
• Delegated Access: Delegated access is permission granted to one identity to act on behalf of another system, process, or user. For NHIs and AI agents, delegated access becomes risky when scope, duration, and ownership are unclear, because the credential can outlive the original business need or expand beyond its intended task.

What to expect at the briefing

Clarity Security's live webinar covers the operational detail this post intentionally leaves for the source:

• Live discussion between Alexis Moyse and Lalit Choda on the current state of NHI governance and where practitioners still struggle.
• Practical commentary on how AI agents change identity governance assumptions across access, ownership, and lifecycle.
• Discussion of regulatory scrutiny around non-human identities and what readiness looks like in real programmes.
• Forward-looking view on where NHI and AI identity governance is heading over the next two to three years.

👉 The full Clarity Security webinar explores the governance gaps, regulatory questions, and future-state implications in more detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.