TL;DR: Identity risk now spans human users, machines, non-human identities, and emerging AI agents, and its unified visibility approach is aimed at helping teams quantify and reduce attack surface, according to Axiad. The real issue is not staffing news but the widening gap between identity sprawl and governance models built for slower, human-paced access reviews.
At a glance
What this is: Axiad’s appointment of a new chief revenue officer is framed around scaling identity security for human users, machines, non-human identities, and AI agents.
Why it matters: It matters because IAM programmes are being asked to govern a broader identity surface than traditional human access models were designed for, especially where machine and AI-driven access is involved.
By the numbers:
👉 Read Axiad’s announcement on identity risk visibility and enterprise growth
Context
Identity risk is no longer limited to employee logins and privileged human access. The article frames a wider problem: organisations now have to govern users, machines, non-human identities, and AI agents through a single security lens, while the underlying visibility and control stack remains fragmented.
For IAM, IGA, and PAM teams, the challenge is less about one new product motion and more about whether their current operating model can measure and manage identity exposure across very different actor types. When identity becomes the primary attack surface, gaps in inventory, lifecycle control, and credential governance become programme-level issues, not isolated tooling issues.
Key questions
Q: How should security teams govern machine and AI identities alongside human accounts?
A: Security teams should govern machine and AI identities with the same lifecycle discipline used for humans, but with controls adapted to runtime behaviour. That means clear ownership, scoped issuance, rotation, revocation, and review paths for every service account, token, certificate, or agent identity. If an identity can act independently or persist beyond its purpose, it needs explicit governance.
Q: Why do machine identities increase identity risk in enterprise environments?
A: Machine identities increase risk because they often outnumber human accounts, carry broad privileges, and are harder to inventory accurately. They also tend to be embedded in systems, code, or automation flows, which makes ownership and offboarding weak. The result is a larger attack surface with more opportunities for misuse, persistence, and lateral movement.
Q: What do teams get wrong when trying to reduce identity attack surface?
A: Teams often focus on the existence of identities instead of the reach and privilege those identities create. A low-count environment can still be high risk if credentials are overprivileged, poorly owned, or impossible to revoke quickly. Effective reduction starts with correlated visibility, then targets the identities that create the biggest blast radius.
Q: Who should be accountable for orphaned service accounts and AI identities?
A: Accountability should sit with the system owner or business service owner, not only with the central IAM team. IAM can set the process, but operational ownership is required to validate purpose, approve continued use, and remove access when the workload or workflow ends. Without named ownership, revocation and review become optional.
Technical breakdown
Unified identity visibility across human and non-human identities
Unified identity visibility means being able to inventory, classify, and monitor identities across users, service accounts, credentials, devices, and AI-driven workloads from one control plane. In practice, the hard part is not collecting records but correlating entitlement, usage, and ownership so teams can see which identities are active, overprivileged, or orphaned. Without that correlation, risk scores become descriptive rather than actionable, and security teams cannot tell which identity relationships actually expand attack surface.
Practical implication: build a complete identity inventory that links ownership, privilege, and usage before trying to score or reduce risk.
Quantified identity risk and attack surface reduction
Quantified identity risk turns identity management from a binary compliance exercise into a prioritisation problem. Rather than asking whether an account exists, teams ask how much exposure that identity creates, how much privilege it carries, and how easily it could be abused in a compromise path. This becomes especially important when machine identities outnumber humans and when AI agents can create new access patterns faster than manual reviews can keep pace.
Practical implication: use risk scoring to rank identities by exploitability and blast radius, not by administrative convenience.
Identity governance for machines and emerging AI agents
Machine identities and AI agents extend IAM beyond login events into runtime access, delegated credentials, and automated action paths. That changes the control problem because ownership, intent, and revocation are harder to define when the subject is not a person. Governance now has to cover issuance, rotation, verification, and offboarding for identities that may act continuously or in bursts across multiple systems.
Practical implication: extend lifecycle controls and access governance to non-human actors with the same discipline used for human access reviews.
NHI Mgmt Group analysis
Identity visibility has become the first control plane, not an adjunct control. Traditional IAM programmes were built to manage known users and predictable lifecycle events, but the article reflects a broader operating reality where machine and AI identities now materially expand the attack surface. When identity sprawl outruns inventory quality, the programme loses the ability to distinguish benign access from latent exposure. Practitioners should treat visibility as the foundation for every downstream control decision.
Quantification changes identity security from administration to prioritisation. Once enterprises can estimate identity risk, they can stop treating all identities as equal review candidates. That matters because service accounts, tokens, and AI-linked access paths do not age like human accounts and often carry disproportionate blast radius. The important shift is not more reporting, but sharper decision-making about which identities require immediate containment.
Machine identities and AI agents collapse the assumption that access is always human-paced and reviewable. Access review processes were designed for actors whose permissions persist long enough to be certified on a schedule. That assumption fails when identities are issued for automated workflows, delegated actions, or emerging AI agent behaviour that can change access patterns faster than governance cycles can observe. The implication is that lifecycle governance has to be rethought around runtime behaviour, not periodic review alone.
Identity attack surface reduction is becoming a board-level resilience issue. The article’s emphasis on expanding identity risk reflects a market shift: identity is now being measured as an operational exposure domain rather than a narrow access-management function. That elevates the relevance of NIST CSF and zero trust thinking, because governance now has to connect visibility, protection, and response across heterogeneous identity types. Practitioners should expect identity risk to sit alongside infrastructure and cloud exposure in resilience reporting.
Named concept: identity blast radius. The central governance problem is not merely how many identities exist, but how far one compromised identity can move across systems, roles, and delegated actions. That concept matters most when machine or AI identities are granted broad cross-system reach without clear ownership boundaries. Practitioners should use blast radius as the organising metric for identity programme design.
From our research:
- 95% customer retention rate, according to Axiad's published material on its identity security platform and customer base.
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- That visibility gap is why practitioners should pair inventory work with rotation, offboarding, and review discipline from Ultimate Guide to NHIs , Key Challenges and Risks.
What this signals
Identity blast radius: the programme risk is no longer simply missing accounts, but missing how far one identity can reach once privilege is delegated across systems. When teams can measure that reach, they can re-rank remediation and report identity exposure in a way executives understand.
With 97% of NHIs carrying excessive privileges according to the Ultimate Guide to NHIs, identity risk reduction has to start with access scope rather than with tool consolidation. That figure points to a structural governance problem, not an isolated hygiene issue.
Enterprises should expect identity security to merge more tightly with zero trust and resilience reporting. The practical question is whether the organisation can prove ownership, scope, and revocation for every identity class before those identities become part of an incident path.
For practitioners
- Inventory all non-human identities as first-class assets Build a complete register of service accounts, API keys, certificates, tokens, and AI-linked identities with owners, purpose, and system dependencies. Treat any identity without a clear business owner or runtime purpose as a governance defect, not an administrative nuisance.
- Prioritise identities by blast radius Score identities by privilege scope, cross-system reach, and likelihood of misuse so remediation work focuses on the highest-exposure accounts first. Use that ranking to drive review cadence, rotation urgency, and access containment decisions.
- Extend lifecycle controls to machine and AI identities Apply issuance, review, rotation, and offboarding processes to service accounts and agentic workloads, not only humans. Make revocation ownership explicit so credentials do not outlive the system or workflow they were created for.
- Connect identity visibility to response workflows Ensure that anomalous entitlement growth, dormant credential use, and orphaned access trigger operational response, not just reporting. Tie identity signals into IAM, PAM, and security operations so containment can happen before the access path is reused.
Key takeaways
- Identity risk is expanding beyond human accounts, and governance models that stop at employee access are now incomplete.
- The most useful control metric is not identity count alone, but how much blast radius each identity creates across systems and delegated workflows.
- Practitioners should extend lifecycle, visibility, and revocation discipline to machine and AI identities before those identities become persistent exposure points.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Identity risk and access scope map directly to privileged access governance. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Credential lifecycle and rotation are central when machine identities proliferate. |
| NIST Zero Trust (SP 800-207) | The post centers on reducing identity attack surface through continuous verification. |
Apply zero trust principles to identity classes that cross systems and carry delegated privilege.
Key terms
- Non-Human Identity: A non-human identity is any credentialed digital identity used by software, workloads, services, bots, or agents rather than a person. It can include service accounts, API keys, tokens, and certificates. Governance must cover ownership, privilege, lifecycle, and revocation just as rigorously as human access.
- Identity Blast Radius: Identity blast radius is the amount of damage a compromised identity can create across systems, roles, and downstream actions. It is shaped by privilege scope, delegation depth, and how widely the identity is trusted. Lowering blast radius is often more useful than counting identities or tracking them in isolation.
- Identity Visibility: Identity visibility is the ability to inventory, classify, and monitor identities in a way that links each one to ownership, entitlement, and runtime use. Without it, organisations cannot reliably spot orphaned access, excessive privilege, or credentials embedded in automation flows. It is the foundation for risk reduction.
- Lifecycle Governance: Lifecycle governance is the discipline of issuing, reviewing, rotating, certifying, and offboarding identities throughout their useful life. It applies to humans, non-human identities, and autonomous actors, but the controls must reflect how each type behaves. Weak lifecycle governance leaves access active after the business need has ended.
What's in the full analysis
Axiad's full report covers the operational detail this post intentionally leaves for the source:
- How Axiad Mesh maps identity visibility and quantified risk across users, devices, machines, and AI agents
- Details on how the platform frames identity risk analysis for enterprise buying and security operations
- Product-level context on Axiad Conductor and Axiad Confirm, including how the vendor positions credential management and identity verification
- The company background, customer retention context, and executive commentary around the new CRO appointment
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-03-23.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org