C1’s Cyber 60 recognition signals demand for AI-native identity governance

At a glance

What this is: C1’s Fortune Cyber 60 placement reflects a broader market shift toward AI-native identity governance across human, non-human, and AI identities.

Why it matters: IAM teams need to treat this as a signal that governance models are being evaluated on automation, lifecycle coverage, and NHI reach, not just human access workflows.

By the numbers:

• C1 says it reduces IT effort on access requests by up to 95%.
• C1 says identity counts skyrocket 100x with the rise of automation and AI.

👉 Read ConductorOne's Fortune Cyber 60 announcement and identity security context

Context

AI-native identity governance is the idea that access requests, reviews, lifecycle events, and policy decisions are handled with more automation and broader context than traditional IAM workflows provide. In this case, the vendor is using its Fortune Cyber 60 placement to argue that enterprises are moving toward identity programmes that span human, non-human, and AI identities at scale.

The practical issue for practitioners is not the award itself, but what it signals about operating model pressure. Identity teams are being asked to govern far more identities, reduce manual effort, and extend controls into NHI and AI agent domains without weakening review, approval, or least-privilege discipline.

Key questions

Q: How should IAM teams respond when identity governance moves toward AI-native automation?

A: They should redesign governance around decision quality, not workflow volume. That means separating low-risk, repeatable access actions from high-risk approvals, preserving evidence for every automated decision, and keeping human review where business context matters. The goal is to reduce manual effort without turning automation into unexamined access drift.

Q: Why do non-human identities need separate governance from human users?

A: Because service accounts, API keys, tokens, and certificates do not behave like people. They are created for systems, often outnumber human users, and can keep working long after the original business need has changed. Separate ownership, lifecycle state, and retirement controls are needed to stop stale access from persisting.

Q: What breaks when access reviews are used as the main control for machine identities?

A: Review cycles often assume the identity is stable, visible, and easy to map to a business owner. Machine identities change faster than review cadences, and many have weak ownership or poor inventory quality. That creates a control gap where privileged access can remain active without being meaningfully re-evaluated.

Q: Should organisations prioritise lifecycle automation or access-request automation first?

A: Lifecycle automation usually comes first if the environment already has large volumes of stale or poorly owned machine identities. Access-request automation helps efficiency, but it does not solve the deeper risk of orphaned credentials and forgotten entitlements. Prioritise the control that reduces persistent exposure in your highest-risk identity population.

Technical breakdown

AI-native identity governance and policy automation

AI-native identity governance describes identity control flows where request handling, review routing, and policy enforcement are automated with contextual signals rather than handled manually case by case. In practice, that shifts identity management from ticket-centric administration toward policy-driven orchestration across apps and infrastructure. The key design point is not speed alone, but whether automation preserves decision quality, auditability, and least privilege. When the platform claims to unify requests, reviews, lifecycle, and policy automation, the architectural question is how those functions are tied together without creating blind spots in exception handling, delegated approvals, or entitlement drift.

Practical implication: map which identity decisions can be automated safely and which still require explicit human review and evidence.

Non-human identity lifecycle control at enterprise scale

Non-human identity governance covers service accounts, API keys, tokens, certificates, and workload identities that behave differently from people but still need ownership, scoping, review, and offboarding. The difficulty at scale is not simply inventory, but keeping entitlements current as workloads, pipelines, and integrations change faster than manual governance processes. A platform that claims lifecycle coverage for NHIs is really addressing the operational gap between identity creation and identity retirement, where stale access, unused credentials, and hidden dependencies accumulate. That is the zone where over-privilege and dormant access usually persist longest.

Practical implication: tie every NHI to an owner, a lifecycle state, and a retirement path that can be enforced automatically.

Just-in-time access and access reviews across mixed identity types

Just-in-time access and access reviews solve different problems. JIT reduces standing privilege by provisioning access only when it is needed, while access reviews test whether existing access still has a valid business reason. In mixed environments, both must work across human, service, and AI-driven identities without assuming that the review rhythm for people is enough for machine identities. The technical challenge is policy consistency across identity classes, not identical handling. If the governance platform spans all three, the control model has to preserve evidence, scope, and delegation context for each actor type.

Practical implication: separate JIT policy design from review cadence design, then validate both against each identity class you govern.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

AI-native identity governance is becoming the control plane conversation, not just a product claim. C1’s recognition matters because the market is rewarding platforms that reduce manual identity work while extending governance across human, NHI, and AI identities. That reflects a real operational shift: identity teams are being measured on scale, automation, and breadth of coverage, not only on access administration. The practitioner conclusion is that governance operating models now need to be designed for mixed identity populations from the start.

Non-human identity governance is no longer a sidecar to human IAM. The article explicitly ties future identity growth to automation and AI, which is the right framing for modern enterprises. NHIs outnumber people in many environments, and lifecycle gaps on service accounts, keys, and tokens tend to create the longest-lived exposure. The practitioner conclusion is that NHI lifecycle coverage must be treated as core identity governance, not a specialised adjunct.

Automation pressure exposes the limits of review-first identity programmes. When a platform says it can cut access-request effort by 95%, the underlying market message is that manual workflows do not scale to identity sprawl. That does not remove the need for review, approval, or audit evidence. It does mean practitioners should separate high-volume entitlement handling from high-risk decisions and stop using the same process for both. The practitioner conclusion is to redesign governance by risk tier, not by legacy ticket flow.

Identity counts rising 100x creates a governance burden that traditional staffing models cannot absorb. That growth profile changes the economics of entitlement control, recertification, and offboarding. It also sharpens the case for policy automation, because the real constraint becomes throughput rather than policy intent. The practitioner conclusion is to benchmark identity operations against scale assumptions, not just control completeness.

Fine-grained lifecycle governance now has to span identity classes that behave differently. Human users, service accounts, and AI identities do not share the same persistence, review cadence, or ownership model. The governance assumption that one lifecycle workflow fits all is already breaking under hybrid identity estates. The practitioner conclusion is to model lifecycle controls by actor type and to validate where existing IAM process maps fail to represent non-human and autonomous behaviour.

From our research:

• 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
• Only 5.7% of organisations have full visibility into their service accounts, which shows how incomplete NHI inventory still is in practice.
• For deeper lifecycle context, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for offboarding, rotation, and governance coverage.

What this signals

AI-native identity programmes will be judged on operational throughput as much as policy design. If access requests and reviews still depend on manual handling, the programme will struggle as identity counts rise and automation expands. Practitioners should expect leadership to ask whether governance can scale without increasing risk, especially where human and non-human identities share the same control plane.

Non-human identity ownership will become a board-visible control issue. The gap is no longer whether NHIs exist, but whether each one has a clear owner, a lifecycle state, and a revocation path that can survive organisational churn. With 96% of organisations storing secrets outside secrets managers in vulnerable locations, according to our Ultimate Guide to NHIs, hidden credentials remain a structural risk rather than a niche hygiene problem.

For practitioners

• Separate human and non-human governance flows Inventory where access requests, recertification, and offboarding still use the same workflow for people and machine identities. Split service accounts, tokens, and certificates into identity classes with distinct owners, review triggers, and retirement criteria.
• Measure automation against governance quality Do not accept automation claims without checking approval integrity, evidence capture, and exception handling. Use access-request volume, review completion time, and false-positive approvals as separate metrics.
• Tie NHI lifecycle to business ownership Assign accountable owners to every non-human identity and require a documented retirement path for credentials that outlive projects, applications, or integrations. Hidden ownership is what allows dormant access to persist.
• Rework least-privilege policy for scale Define how policy-based access is enforced across millions of identities without relying on static role expansion. Start with high-risk entitlements, then validate whether policy automation reduces standing privilege instead of preserving it in a new form.

Key takeaways

• C1’s Cyber 60 recognition points to a broader market move toward automated identity governance across human, non-human, and AI populations.
• The operational pressure is scale, with identity growth and manual effort forcing IAM teams to rethink how lifecycle and access control are delivered.
• Practitioners should redesign governance by identity class and risk tier, or automation will simply accelerate old workflow problems.

Key terms

• AI-native identity governance: Identity governance that uses automation and contextual policy to handle requests, reviews, lifecycle, and access decisions at scale. The emphasis is on reducing manual work without weakening evidence, ownership, or least-privilege discipline across human and non-human identities.
• Non-human identity lifecycle: The managed lifecycle of service accounts, API keys, tokens, certificates, and workload identities from creation through retirement. In practice, it requires ownership, periodic review, rotation where needed, and reliable offboarding so credentials do not outlive their business purpose.
• Just-in-time access: A provisioning pattern that grants access only when it is needed and removes it after the task is complete. For non-human and AI-driven environments, the control must be tied to actor type, scope, and audit evidence so ephemeral privilege does not become hidden standing access.
• Access review: A governance process that checks whether existing access is still justified by business need. For machine identities, the review must account for faster change rates, weaker ownership, and shorter operational lifecycles than human user access, or the review becomes a paper exercise.

Deepen your knowledge

AI-native identity governance and non-human identity lifecycle control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for a mixed human, NHI, and AI identity estate, it is worth exploring.

This post draws on content published by ConductorOne: C1 named to the Fortune Cyber 60 list of top venture-backed cybersecurity companies. Read the original.