Best practices for non-human identity security in modern stacks

At a glance

What this is: This is an NHI security strategy guide that argues teams need to move from ad hoc access control to risk-informed governance across discovery, policy, standards, metrics, process, and ownership.

Why it matters: It matters because the same control gaps that weaken machine identities also distort IAM, IGA, and PAM programmes when service accounts, workloads, and AI agents are treated as implicitly trusted.

By the numbers:

• 50% of surveyed organisations had a breach in the past year tied to compromised machine identities.

👉 Read Cerbos' guide to securing non-human identities in modern enterprises

Context

Non-human identity security is the discipline of discovering, scoping, governing, and auditing machine identities such as service accounts, API keys, tokens, certificates, workloads, and AI agents. This article argues that many IAM programmes still give NHIs implicit trust, even as those identities spread across production, development, user-facing OAuth apps, and emerging agentic systems.

The governance gap is broader than secret sprawl. When organisations cannot see what NHIs exist, what they can reach, or which team owns them, rotation, least privilege, and audit logging become partial controls rather than a coherent programme. That is why the discussion belongs with NHI governance, IAM operating models, and workload identity standards such as the Ultimate Guide to NHIs.

Key questions

Q: How should security teams inventory non-human identities across the stack?

A: Start with a single discovery process that covers service accounts, API keys, certificates, OAuth apps, CI/CD secrets, and AI agents. The goal is not just count, but classification by owner, environment, privilege, and business function. Without that baseline, rotation, policy enforcement, and audit logging remain partial controls that miss the identities creating the most exposure.

Q: When do short-lived credentials reduce NHI risk most effectively?

A: They help most when an organisation also has fast revocation, narrow scoping, and clean ownership for every identity. Short-lived credentials reduce the exposure window, but they do not solve orphaned access or broad entitlements. If revocation is slow or scope is excessive, the credential lifetime is shorter while the blast radius stays large.

Q: What do security teams get wrong about workload identity standards?

A: They often treat standards like SPIFFE or OIDC machine-to-machine support as a finished solution. In reality, standards provide a consistent trust model, but governance still has to define who owns identity issuance, how policy is tested, and how access is retired. Without those controls, portability improves while accountability remains weak.

Q: Who should own NHI lifecycle governance in an enterprise?

A: Ownership should be shared, but explicit. Security should define risk and audit requirements, IAM should govern issuance and policy, platform teams should implement and operate controls, and application teams should surface misuse. The important part is that every stage of the NHI lifecycle has a named accountable owner rather than an implied one.

Technical breakdown

NHI exposure mapping across production, development, and AI domains

Exposure mapping starts by identifying where NHIs exist and what they are allowed to touch. In practice, that means service accounts in production, CI/CD secrets in development, OAuth applications in user domains, and AI agents that can call tools or access data. The technical failure is not only missing inventory. It is that identities are created faster than they are classified, so ownership, scope, and monitoring never catch up. Once that happens, teams cannot tell whether a credential is dormant, over-privileged, or actively used in a critical path.

Practical implication: build a single inventory that spans services, pipelines, OAuth apps, and agents before you try to reduce privilege.

Shortest-lived credentials, rotation, and revoke speed

Credential lifetime is a core control variable for NHI risk. Short-lived credentials, automated rotation, and fast revocation reduce the damage window when keys leak or permissions become stale. The article links this directly to machine-identity breaches where poorly scoped API keys, certificates, and service account tokens enabled compromise. The operational point is that rotation alone is not enough if revocation is slow, scope is broad, or orphaned identities remain active after their original purpose ends. Lifecycle control must be continuous, not a one-time hardening task.

Practical implication: measure time-to-revoke, rotation coverage, and orphaned account cleanup as first-class NHI controls.

SPIFFE, OIDC M2M, and policy-driven workload identity

Standards matter because they make machine identity portable and auditable. SPIFFE provides cryptographic workload identity with short-lived SVIDs, while machine-to-machine OpenID Connect and similar frameworks help broker identity between services across environments. The architectural aim is to replace static secrets with verifiable identity and policy-driven authorization that can be enforced consistently across clouds. That does not remove the need for governance. It gives governance a more stable substrate by tying access decisions to identity, attestation, and runtime context instead of shared secrets that drift out of control.

Practical implication: prefer standards-based workload identity patterns over static shared secrets wherever the platform supports them.

Threat narrative

Attacker objective: The objective is to turn a trusted machine identity into persistent access that can read data, execute code, or pivot into adjacent systems.

1. Entry begins when long-lived machine credentials, such as public repo keys or weakly controlled OAuth app access, give an attacker or rogue workflow a usable identity foothold.
2. Escalation follows when that identity is over-privileged or poorly scoped, allowing lateral movement, data access, or code execution beyond its intended purpose.
3. Impact arrives as remote code execution, exposed task data, leaked SQL tables, or other downstream abuse that turns blind trust in NHIs into broad environment compromise.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Blind trust in NHIs is now a programme design flaw, not a tuning issue. The article is right to frame over-privilege and invisible machine activity as a governance problem, because NHIs are now spread across production, development, user domains, and AI workflows. Once identity is granted to systems that move faster than human review cycles, the old assumption that machine access can be trusted by default stops holding. Practitioners should treat NHI visibility as the prerequisite to every other control decision.

Lifecycle management is the control plane that most NHI programmes still underbuild. The article’s sequence of discovery, objectives, metrics, standards, process, and ownership is structurally sound because it maps identity governance to the full lifecycle of machine access. That lifecycle includes creation, scoping, rotation, monitoring, and decommissioning. The implication is that NHI security fails when organisations treat secrets as technical artifacts instead of governed identities with owners, states, and retirement criteria.

Identity blast radius is the right concept for machine identity risk. When an NHI is over-privileged, the key question is not whether it exists, but how far it can move if compromised or misused. That makes scope, segmentation, and authorization telemetry more useful than raw identity counts. Practitioners should focus on limiting the blast radius of each workload and agent, because the cost of one compromised identity is driven by reachable systems, not inventory size alone.

Standards reduce variance, but they do not replace governance. SPIFFE, OIDC machine-to-machine patterns, and similar frameworks make workload identity more portable and cryptographically strong, yet they still depend on ownership, policy design, and auditability. The article correctly treats standards as scaffolding rather than an end state. Security teams should use them to make NHI control repeatable across platforms, not as evidence that the governance problem is solved.

Machine identity security is now a shared IAM, security, and platform responsibility. The leadership vacuum described in the article is a sign that ownership models have not kept pace with where identities are created and consumed. Security teams define risk, IAM teams govern issuance and policy, and platform teams implement and operate the controls. Practitioners should close the gap by assigning explicit accountability for NHI lifecycle outcomes, not just for tooling.

From our research:

• 1.5 million customers, 40,000 partners, 2,500 internal users, and more than 4,500 services and workloads illustrate how quickly identity sprawl can outpace visibility, according to The State of Non-Human Identity Security.
• Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities, according to The 2024 Non-Human Identity Security Report.
• For a broader governance lens, see the Ultimate Guide to NHIs for how lifecycle, rotation, and access reviews fit together across machine identities.

What this signals

Identity sprawl is now the signal to watch, not just secret leakage. When one environment already spans millions of external users, thousands of internal users, and thousands of services, the control problem becomes one of ownership and scope, not just credential hygiene. Teams that cannot maintain a living inventory will struggle to enforce least privilege across workloads and agents. The next governance step is to treat visibility as an operating metric, not a periodic project.

The strongest programmes will separate workload identity from static secret management and make lifecycle ownership explicit across security, IAM, and platform teams. That shift aligns well with the Guide to SPIFFE and SPIRE, where cryptographic workload identity and attestation reduce reliance on shared secrets. Practitioners should expect policy enforcement to move closer to runtime identity rather than stay embedded only in provisioning workflows.

With 1 in 4 organisations already investing in dedicated NHI security capabilities, the market is signalling that machine identity governance is becoming a programme category rather than a feature add-on. The organisations that move first will be the ones that can prove scope, rotation, and revoke discipline across their full identity estate.

For practitioners

• Map every NHI domain into one inventory Include production service accounts, CI/CD secrets, OAuth applications, certificates, and AI agents in the same discovery process so owners, scopes, and runtime locations are visible in one place.
• Set lifecycle metrics that expose weak controls Track percentage of scoped short-lived credentials, time-to-revoke for compromised identities, orphaned account cleanup, and rotation coverage so governance decisions are based on measurable exposure.
• Replace static secrets with standards-based workload identity Use SPIFFE, OIDC machine-to-machine patterns, or equivalent cryptographic identity approaches where platforms support them, and reserve shared secrets for the smallest possible exception set.
• Assign ownership across security, IAM, and platform teams Document who approves issuance, who enforces policy, who rotates credentials, and who decommissions identities so lifecycle failure has a named owner rather than a shared assumption.

Key takeaways

• Non-human identity risk is driven by invisible ownership, broad scope, and lifecycle gaps rather than by identity count alone.
• The evidence points to a persistent maturity gap, with machine identities often governed less rigorously than human identities and tied to breach activity.
• The practical response is to unify discovery, standards, metrics, and ownership so every machine identity has a defined lifecycle and accountable controller.

Key terms

• Non-Human Identity: A non-human identity is any identity used by software, infrastructure, or an automated workload rather than a person. That includes service accounts, API keys, tokens, certificates, and AI agents. Governance must cover issuance, scope, rotation, monitoring, and retirement because these identities can act at machine speed and often persist longer than intended.
• Identity blast radius: Identity blast radius is the amount of damage an identity can cause if it is misused or compromised. For NHIs, the measure depends on what systems the identity can reach, what data it can read, and whether it can execute privileged actions. Reducing blast radius means narrowing scope, segmenting access, and shortening credential lifetime.
• Workload identity: Workload identity is the machine-readable identity assigned to a service, container, or other software workload so it can authenticate and be authorised without shared secrets. In mature environments, workload identity is cryptographically verifiable, short-lived, and tied to policy and attestation rather than static credentials that drift out of control.
• NHI lifecycle governance: NHI lifecycle governance is the set of controls that manage a machine identity from creation through retirement. It includes ownership, access scoping, rotation, monitoring, recertification, and decommissioning. The point is to treat each identity as an asset with a state and an accountable controller, not as a disposable configuration artifact.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Cerbos: securing non-human identities in modern tech stacks. Read the original.