CrowdStrike’s SGNL acquisition signals a new identity control plane

At a glance

What this is: This is an independent analysis of CrowdStrike’s SGNL acquisition and the growing shift toward dynamic identity authorization for cloud, NHI, and AI workloads.

Why it matters: It matters because IAM, PAM, and NHI teams now have to treat continuous access decisions and AI-era governance as one control problem, not separate projects.

By the numbers:

• 150:1.
• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.

👉 Read Apono's analysis of the CrowdStrike and SGNL acquisition context

Context

Identity security has moved from a narrow access-management concern to a core cloud and AI control problem. Static roles, quarterly reviews, and coarse permissions were built for slower environments, but modern infrastructure changes continuously and often without stable human oversight. CrowdStrike’s SGNL acquisition is a signal that vendors are now competing around that control plane.

The article’s central argument is that access decisions must become dynamic, contextual, and risk-aware across human identities, non-human identities, and AI-driven actors. That framing is relevant to IAM, PAM, IGA, and NHI governance because the same control assumptions are breaking at once: access is no longer stable, identities are no longer mostly human, and authority is no longer always human-paced.

Key questions

Q: How should teams govern access when cloud and AI workloads change too fast for static roles?

A: Teams should move from assignment-time thinking to runtime authorization. That means evaluating current context, task scope, and risk before access is used, then revoking it as soon as the task is complete. Static roles still matter for structure, but they cannot be the only control if workloads and AI actions change continuously.

Q: Why do non-human identities create more governance pressure than human accounts?

A: Non-human identities scale faster, change more frequently, and are often distributed across tools that sit outside the main identity provider. That combination makes lifecycle control, visibility, and privilege review much harder. The risk is not that NHIs are mysterious, but that they are easy to accumulate and hard to govern consistently.

Q: What breaks when access reviews are still tied to periodic certification cycles?

A: Periodic reviews miss access that is granted, used, and retired between review windows. They also encourage stale entitlements to persist because teams certify what exists instead of what is actually needed. In fast-changing environments, review cycles become an audit of history rather than a control over current risk.

Q: Who is accountable when AI or machine identities act outside intended scope?

A: Accountability stays with the organisation that owns the identity, the policy, and the data path. Vendors may provide infrastructure or models, but the enterprise still controls authorisation boundaries and operational guardrails. If those are missing, the programme owner cannot treat AI or machine behaviour as an external problem.

Technical breakdown

Why static roles stop working in cloud and AI environments

Static roles assume that privilege can be defined once and reviewed later, but cloud workloads and AI-driven systems change too quickly for that model. In practice, permissions drift as resources multiply, usage patterns shift, and access paths become more granular. The result is that coarse access models either over-grant to preserve uptime or lag behind actual operational need. Dynamic authorization replaces the old provisioning mindset with decisions that consider context, task scope, and current risk at the moment access is used, not when it was first assigned.

Practical implication: teams should stop measuring access only at assignment time and start measuring whether permissions still match current usage.

How continuous authorization changes NHI governance

Non-human identities are predictable in function but massive in scale, which is why they expose weaknesses in manual lifecycle controls so quickly. Service accounts, API tokens, workload identities, and automation often sit outside traditional identity providers, leaving fragmented visibility and broad permissions in place. Continuous authorization does not mean constant human review. It means the system evaluates whether the identity should still act based on task context, business risk, and operational state. That is especially important when access is granted for short-lived machine tasks that should not leave standing privilege behind.

Practical implication: bring NHI entitlements into one governance model and enforce task-scoped access rather than persistent access.

What agentic AI changes about access control

Agentic AI introduces runtime decision-making into the access path, which makes traditional pre-approved access models less reliable. These systems can decide what to query, when to act, and how to proceed across tools and data sources, so the main control problem is no longer just entitlement size. It is whether the governance model can keep pace with decisions made during execution. That means policy has to account for tool use, data reach, and action sequencing in real time. If those decisions are only reviewed after the fact, the control boundary has already failed.

Practical implication: add runtime guardrails around tool use and data reach before autonomous or semi-autonomous workflows are allowed to scale.

Threat narrative

Attacker objective: The objective is to gain durable, operationally useful access that survives beyond the original task and can be reused for broader system impact.

1. Entry occurs when cloud, NHI, or AI-driven systems inherit broad access that was created for earlier, slower operating models.
2. Escalation follows when over-broad privilege, fragmented visibility, or standing access lets the identity move beyond the task that justified the grant.
3. Impact emerges when access decisions lag behind real activity, allowing cloud or AI workflows to act outside intended control boundaries.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Codefinger AWS S3 ransomware attack — Codefinger used compromised AWS credentials to encrypt S3 buckets via SSE-C.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Dynamic authorization is now an identity governance requirement, not an optimization. Static roles and periodic access reviews were designed for systems where privilege changed slowly enough to be certified after the fact. That assumption no longer holds in cloud environments where access paths shift continuously. The implication is that identity governance must be evaluated by how well it follows runtime usage, not by how neatly it documents old entitlements.

Identity security consolidation reflects a control-plane problem, not a feature race. The market is converging because security platforms are trying to cover the same missing layer: continuous decisions over who or what can act, when, and under what context. That makes privileged access, NHI governance, and AI-era authorization part of the same operational discipline. Practitioners should expect platform consolidation to pressure existing tool boundaries and governance ownership.

Access review processes assume access persists long enough to be reviewed, and that assumption weakens as AI enters the stack. That assumption was designed for human-paced certification cycles. It fails when identities can be granted, used, and discarded at machine speed or when decision paths are created during execution. The implication is not just more automation, but a rethink of what evidence of access should exist at all.

Ephemeral credential trust debt: temporary access does not remove governance burden when the surrounding lifecycle remains unmanaged. Short-lived permissions still create exposure if the identity, data path, or approval context cannot be traced end to end. Practitioners should treat the lack of lifecycle clarity as an accumulating control debt, not as a lower-risk exception.

AI-ready access governance will be judged by runtime containment. The organisations that will cope best are those that can align access with task scope, review context in real time, and revoke authority as soon as the action is complete. That is the practical standard now emerging for human, NHI, and AI-driven identity programmes.

From our research:

• The ratio of non-human identities to humans is now estimated at roughly 150:1, according to Ultimate Guide to NHIs.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
• Top 10 NHI Issues is the right next step if you need the failure patterns behind that confidence gap.

What this signals

Ephemeral credential trust debt: short-lived access is not the same as governed access. If the surrounding owner, scope, and revocation path remain unclear, organisations simply move the risk from persistent privilege into a harder-to-see operational debt that will surface later in incident response.

The practical signal for IAM and NHI teams is that access reviews, secret handling, and workload identity governance are converging into one operating model. The organisations that can prove current access, current owner, and current purpose across every actor type will have a better chance of containing AI-era drift than those that still certify entitlements in isolation.

As identity becomes the control plane for cloud and AI systems, programme maturity will be measured by how quickly teams can turn context into decisions. That is why guidance on the Ultimate Guide to NHIs and the NIST Cybersecurity Framework 2.0 remains useful: it anchors governance in measurable control functions rather than in static role assumptions.

For practitioners

• Re-baseline access models around runtime decisions Review whether your current roles, entitlements, and approvals still assume a slow-moving environment. If they do, separate static identity provisioning from task-time authorization and make current usage the primary control signal.
• Pull NHIs into a single governance inventory Consolidate service accounts, API tokens, workload identities, and automation into one inventory with owners, expiry rules, and review cadence. Fragmented visibility is the fastest path to standing privilege and hidden lateral movement.
• Define control points for AI-driven access paths Map where agentic systems can choose tools, access data, and continue execution without human approval. Then place policy checks before those actions, not only after execution has finished.
• Use task scope to replace standing privilege Grant access only for the duration of a specific operational task and tie revocation to task completion, not calendar time. That reduces over-broad machine access while giving teams a cleaner audit trail.

Key takeaways

• Identity security is shifting from periodic administration to continuous control over runtime access decisions.
• The scale of non-human identities makes fragmented visibility and standing privilege a structural governance problem, not an edge case.
• Practical readiness now depends on task-scoped authorization, lifecycle clarity, and runtime containment across human, NHI, and AI-driven actors.

Key terms

• Dynamic Authorization: Dynamic authorization is the practice of deciding access at the moment it is needed using current context, risk, and task scope. It replaces one-time permission grants with decisions that can change as systems, usage, and identity behaviour change.
• Standing Privilege: Standing privilege is access that remains active beyond the immediate task or business need that justified it. In NHI and AI environments, it creates hidden blast radius because the identity can continue to act long after the original purpose has passed.
• Non-Human Identity Lifecycle: Non-human identity lifecycle is the governance process for creating, owning, reviewing, rotating, and retiring machine identities such as service accounts, tokens, and workload credentials. It is the machine equivalent of human joiner-mover-leaver control, but usually at much higher scale and speed.
• Agentic Access Path: An agentic access path is the sequence of tool calls, data requests, and actions an AI system can take during runtime. It matters because access control is no longer only about who can log in, but about what the system can decide to do next.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance maturity, it is worth exploring.

This post draws on content published by Apono: Why Did CrowdStrike Buy SGNL? It’s all about AI. Read the original.