Autonomous identity still depends on governance for NHI access

At a glance

What this is: This is a vendor viewpoint on autonomous identity, arguing that modern identity governance must cover both human and non-human identities with faster visibility, least privilege, and AI-assisted access reviews.

Why it matters: For IAM and NHI practitioners, it reinforces that access governance now has to keep pace with app sprawl, ephemeral access, and autonomous workflows rather than just periodic reviews.

👉 Read Lumos' viewpoint on autonomous identity and access governance

Context

Identity governance is no longer only about employees and contractors. As service accounts, bots, and AI agents take on more execution authority, the real gap is whether access decisions can still be traced, limited, and revoked at machine speed.

Lumos frames this as a shift toward autonomous identity, but the practitioner problem is broader than one vendor's terminology. The core issue is whether existing IAM and NHI controls can keep up with faster app adoption, dynamic roles, and one-time access patterns without creating blind spots or standing privilege.

For most enterprises, that starting position is increasingly typical rather than exceptional. The unusual part is not the presence of NHI sprawl, but any programme that still treats it as an edge case.

Key questions

Q: How should security teams govern non-human identities in practice?

A: Start with ownership, scope, and expiry. Every service account, token, key, certificate, and AI agent should have a named owner, a limited purpose, and a defined review or revocation point. Then enforce least privilege and just-in-time access where possible, so machine access does not become permanent by default.

Q: When does just-in-time access reduce risk for NHIs?

A: Just-in-time access reduces risk when the access is short-lived, tightly scoped, and tied to a specific task or workflow. It creates less value for attackers than standing privilege, but only if teams can revoke it quickly, log it clearly, and prevent credentials from being reused outside the intended window.

Q: What is the difference between least privilege and access review for NHIs?

A: Least privilege is the target state, meaning an identity only has the permissions it needs. Access review is the control process used to check whether entitlements still match that target state. For NHIs, both are necessary because automated permissions can drift faster than periodic review cycles can catch them.

Q: Why do autonomous workflows create new IAM governance challenges?

A: Autonomous workflows move access decisions closer to execution time and increase the number of identities that can act without direct human oversight. That makes approval queues, periodic certifications, and manual cleanup less effective. Teams need policy-driven, lifecycle-aware controls that can keep pace with machine speed.

Technical breakdown

Why autonomous identity changes access governance mechanics

Autonomous identity describes access governance that reacts continuously instead of waiting for periodic admin review. In practice, that means access is evaluated against role changes, request context, and policy signals as identities move through their lifecycle. The technical shift is important because human review alone cannot scale to service accounts, bots, and AI agents that can create and consume access faster than a quarterly certification cycle. The risk is not just overprivilege. It is also drift between what a system believes is allowed and what an identity can actually do across many applications and tools.

Practical implication: Treat access governance as a runtime control problem, not only a review process.

Just-in-time access and least privilege for non-human identities

Just-in-time access reduces standing privilege by issuing credentials only when a task needs them. For NHI governance, that matters because long-lived access tokens, service account keys, and bot credentials tend to survive long after their original purpose. Least privilege by default is the control objective, but it only works if entitlement scope, duration, and revocation are defined at the workload level. Otherwise, teams simply automate the old problem instead of shrinking it. Dynamic access changes are useful only when they are bounded by policy and backed by a clean audit trail.

Practical implication: Use time-bound access with clear expiry, scope, and rollback conditions for every machine identity.

AI-assisted access reviews can reduce noise, but not accountability

AI-driven recommendations can help reviewers spot outliers in large access sets, especially where dozens of apps and inherited entitlements make manual review impractical. But recommendation engines do not own the decision. They only improve decision quality if the organisation still knows who approved, why access was retained, and how exceptions were handled. In NHI environments, that matters because access review failures often come from approval fatigue, not lack of data. Automation should reduce rubber-stamping, not replace ownership. If the control cannot produce a defensible decision record, it has not solved governance.

Practical implication: Require human accountability for exceptions even when AI helps prioritise reviews.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Autonomous identity is really a governance compression problem. As access decisions move closer to runtime, teams have less time to rely on periodic review and more pressure to make policy decisions before privilege accumulates. That changes the control objective from documenting access after the fact to constraining it before it becomes reusable. Practitioners should treat this as a lifecycle discipline, not an automation feature.

Agentic and non-human identities expose the weakness of approval-centric IAM. Approval workflows were built for slower, human-paced access changes, not for identities that can request, inherit, and use permissions across multiple systems in minutes. The result is often process theatre, where reviews exist but do not materially reduce exposure. Teams need evidence that approval maps to actual blast-radius reduction.

Least privilege without lifecycle enforcement becomes policy drift. A role model can look clean on paper while service accounts, bots, and integrations accumulate permissions over time. That is why identity governance must include provisioning, re-certification, exception handling, and offboarding in one control loop. If lifecycle enforcement is missing, least privilege is only a statement of intent.

AI-assisted governance helps only when the organisation preserves decision accountability. Pattern recognition can improve review quality, but it cannot own risk acceptance. The practical test is whether teams can explain why an entitlement exists, who accepted it, and when it will be removed. Without that, autonomy increases speed but does not improve governance maturity.

From our research:

• The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected.
• For a broader control baseline, review Ultimate Guide to NHIs alongside OWASP Non-Human Identity Top 10.

What this signals

Ephemeral access will not fix governance by itself. As more teams adopt task-scoped credentials and autonomous workflows, the control question shifts to whether the organisation can still prove who approved, what was issued, and when it was removed. That is where lifecycle discipline matters more than workflow speed.

With 72% of organisations having experienced or suspect they have experienced a breach of non-human identities, per The 2024 ESG Report: Managing Non-Human Identities, the programme signal is clear: reviewers need better evidence, not more review volume.

Identity blast radius: the measure that matters is no longer how many access requests you process, but how much access any single machine identity can accumulate before control catches up. Teams should align this with NIST Cybersecurity Framework 2.0 functions for identify, protect, detect, respond, and recover.

For practitioners

• Map every non-human identity to an owner and expiry Inventory service accounts, API keys, tokens, certificates, and AI agents, then assign a business and technical owner plus a review date. This is the minimum control needed to stop anonymous access from surviving beyond its purpose.
• Replace standing access with task-scoped access Use just-in-time provisioning for administrative and machine access where possible, and define the exact task, duration, and revoke condition before access is granted. The control should shrink privilege duration, not just record it.
• Automate access review triage, not final approval Let AI highlight outliers, inherited entitlements, and stale access, but keep a named approver for exceptions and sensitive privileges. That preserves accountability while reducing reviewer fatigue.
• Tie NHI access to lifecycle events Revoke or re-scope access when an app is retired, a workflow changes, a bot is replaced, or an integration owner changes. Lifecycle triggers are where orphaned access is most likely to persist.

Key takeaways

• Autonomous identity does not remove IAM work, it raises the stakes for controlling machine access before it becomes reusable.
• Non-human identities create governance exposure when ownership, scope, and expiry are unclear or inconsistently enforced.
• Practitioners should focus on lifecycle-aware, policy-driven controls that reduce standing privilege and preserve decision accountability.

Key terms

• Autonomous Identity: An access governance model where identity decisions are made continuously with policy and automation rather than only through periodic human review. It is meant to keep pace with dynamic apps, machine identities, and fast-changing permissions while still preserving auditability and accountability.
• Just-in-Time Access: A privilege model that grants access only for a specific task and only for as long as needed. For NHIs, it reduces the value of stolen credentials by shrinking exposure windows and limiting how long a bot, service account, or agent can operate with elevated rights.
• Access Sprawl: The gradual accumulation of permissions across users, services, and integrations until no one can easily explain why access still exists. In NHI environments, it often appears when machine identities keep inherited rights long after their original business purpose has changed.

Deepen your knowledge

Autonomous identity governance and just-in-time access are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for service accounts, bots, or AI agents from a similar starting point, it is worth exploring.

This post draws on content published by Lumos: Executive Viewpoint, The Future of Identity Is Autonomous. Read the original.