Exponential NHI growth is exposing identity governance blind spots

At a glance

What this is: This is SPHERE’s overview of why rapidly expanding non-human identities are creating a governance gap, with visibility, ownership, and entitlement control emerging as the key failure points.

Why it matters: It matters because NHI sprawl affects machine identity, automation, and broader IAM programmes at the same time, and teams cannot govern what they cannot inventory, attribute, or review.

By the numbers:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.

👉 Read SPHERE's analysis of why exponential NHI growth is exposing governance blind spots

Context

Non-human identity sprawl is a governance problem before it is a tooling problem. When bots, APIs, IoT devices, certificates, SSH keys, and service accounts are left outside standard identity workflows, organisations lose the ability to answer basic questions about ownership, entitlement, and accountability.

The result is a structural blind spot across NHI and IAM programmes. Traditional identity models were built around human users and stable lifecycle processes, but machine identities multiply faster, change more frequently, and are often managed inconsistently across platforms and teams.

SPHERE’s article frames that shift clearly: the issue is not simply that NHIs exist in larger numbers, but that they are excluded from the identity practices needed to control them. That is the typical starting position in most enterprises, and it is already outdated.

Key questions

Q: How should security teams govern non-human identities at enterprise scale?

A: Security teams should govern NHIs as a distinct identity population with inventory, ownership, entitlement review, and lifecycle controls. The key is to connect discovery to accountability so every service account, API key, certificate, and bot has a named owner and a defined purpose. Without that link, remediation becomes ad hoc and access risk stays hidden.

Q: Why do non-human identities create more governance risk than human accounts?

A: NHIs create more governance risk because they scale faster, change more often, and are commonly managed outside human-centric IAM processes. Many are embedded in code, pipelines, and integrations, which makes them easier to overlook and harder to offboard. That combination turns ordinary access drift into persistent exposure.

Q: What do organisations get wrong about entitlement reviews for machine identities?

A: They often review the credential holder without checking whether the underlying workload still needs the access. For NHIs, entitlement review has to validate purpose, ownership, and runtime necessity, not just account existence. If the identity survives after the workload changes, the review has missed the actual risk.

Q: How can teams reduce the impact of compromised service accounts and API keys?

A: Teams can reduce impact by shrinking credential scope, rotating secrets on a governed schedule, and revoking unused identities quickly. The objective is to prevent a single compromised NHI from becoming a broad access path. This is where lifecycle discipline matters as much as detection.

Technical breakdown

Why non-human identity sprawl breaks traditional IAM models

Traditional IAM assumes a relatively bounded population of people with recognisable joiner-mover-leaver events and reviewable access patterns. NHIs behave differently. They are created by developers, infrastructure teams, and platforms, often without consistent registration, ownership, or retirement. Because they are embedded in code, pipelines, certificates, and service integrations, they tend to accumulate faster than governance can track them. That creates a control gap where the identity exists, but the organisation cannot reliably enumerate it, assign it, or prove why it still needs access.

Practical implication: build a machine-identity inventory that is tied to ownership and lifecycle state, not just authentication logs.

Certificate, SSH key, and secret management as an NHI control plane

For NHIs, the credential is often the identity. Certificates, SSH keys, tokens, and API keys are not supporting artefacts the way passwords are for many human accounts. They are the mechanism through which a workload proves itself. If those credentials are long-lived, widely distributed, or stored outside managed vaults, the organisation inherits standing access that is hard to detect and harder to revoke. The control plane therefore has to include issuance, storage, rotation, and retirement, not just authentication at the point of use.

Practical implication: treat certificates and keys as governed identities with owners, expiry, and revocation paths.

Identity intelligence is the missing layer for entitlement auditing

Identity intelligence means connecting discovery, ownership mapping, entitlement analysis, and behavioural context into a single governance view. Without that layer, entitlement audits become a point-in-time exercise that misses hidden accounts, orphaned credentials, and overbroad access paths. The article’s emphasis on visibility matters because NHI risk is rarely created by one bad control alone. It usually comes from the combination of unknown identity, unclear responsibility, and unreviewed privilege. In practice, the problem is not just excess access, but unaccountable access.

Practical implication: integrate discovery data with entitlement reviews so every NHI can be traced to a named owner and purpose.

Threat narrative

Attacker objective: The attacker aims to turn unmanaged machine identity into scalable access, persistence, or traffic amplification across digital infrastructure.

1. Entry begins when attackers target neglected non-human identities such as bots, APIs, or IoT endpoints that are outside normal oversight.
2. Escalation occurs when exposed or overprivileged machine credentials allow broader access than the identity actually needs.
3. Impact follows when compromised NHIs are used to amplify attacks, move through infrastructure, or support large-scale disruption such as botnet activity or DDoS.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

NHI governance still fails first at identity discovery, not at detection. The article is right to focus on visibility because you cannot govern what has not been enumerated. In practice, most organisations have partial inventory for service accounts, APIs, certificates, and bots, but no single accountable view across them. That is why entitlement reviews and ownership mapping remain incomplete. Practitioners should treat discovery as the prerequisite control, not an administrative nice-to-have.

Excess NHI privilege is a governance issue before it becomes an incident issue. Over-entitled machine identities create an attack path, but they are also evidence that access assignment is being treated as a technical convenience rather than a governed decision. Once an NHI can authenticate broadly without tight scope, the organisation has already accepted avoidable exposure. Practitioners should reframe privilege analysis around business purpose, not just technical function.

Identity intelligence is the named concept this category needs. It is the combination of discovery, ownership, entitlement auditing, and automation that turns NHI management from a reactive cleanup exercise into a governed programme. The article points in this direction because machine identities require context that classic IAM spreadsheets and manual reviews cannot maintain. Practitioners should make identity intelligence the operating model for machine identity governance.

Machine identity risk is now a cross-domain IAM issue, not a niche infrastructure concern. NHIs touch secrets management, PAM, lifecycle governance, and Zero Trust at the same time. That means the control failure is shared across teams that often report separately and measure success differently. Practitioners should align NHI governance with broader identity operating models, or gaps will keep reappearing at the handoff points.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
• For a broader control baseline, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs, which extends the lifecycle view into provisioning, rotation, and offboarding.

What this signals

Identity intelligence is becoming the practical response to NHI sprawl because discovery alone does not tell you who owns a machine identity, why it exists, or whether it still deserves access. The organisations that mature fastest will connect inventory, entitlement review, and lifecycle state into one operational view.

With 97% of NHIs carrying excessive privileges according to our Ultimate Guide to NHIs, over-entitlement is no longer an edge case. It is the default failure mode that forces security teams to move from reactive cleanup to governed reduction of machine identity blast radius.

For programmes that already have Zero Trust ambitions, the next step is to anchor machine identity work in NIST Cybersecurity Framework 2.0 and the lifecycle guidance in Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs. That combination makes NHI governance measurable instead of aspirational.

For practitioners

• Inventory all NHIs across infrastructure and application layers Build a live register for bots, APIs, certificates, service accounts, SSH keys, and IoT identities, then tie each record to a business owner and technical steward.
• Map every NHI to an entitlement purpose Require a documented reason for access that explains why the identity exists, what it can reach, and when its access should end.
• Review privileged machine access on a fixed governance cadence Use access reviews to identify stale, duplicated, or overbroad NHI entitlements, then remove identities that no longer match an active workload or integration.
• Treat secrets and certificates as lifecycle objects Track issuance, rotation, expiry, and revocation for each secret or certificate so machine identities cannot persist with unmanaged standing access.

Key takeaways

• The article shows that NHI risk is driven by visibility gaps, unclear ownership, and weak entitlement discipline rather than by volume alone.
• NHI breach impact scales quickly because machine identities can be embedded in infrastructure, overprivileged by design, and difficult to retire once deployed.
• Security teams should treat identity discovery, lifecycle control, and entitlement auditing as one machine-identity governance programme, not separate workstreams.

Key terms

• Non-Human Identity: A non-human identity is any digital identity used by software, services, devices, or automation rather than a person. It includes service accounts, API keys, tokens, certificates, bots, workloads, and connected devices that authenticate to systems and consume access rights.
• Identity Intelligence: Identity intelligence is the ability to combine discovery, ownership mapping, entitlement analysis, and lifecycle context into one governance view. It turns scattered machine identity data into actionable control, so teams can see what exists, who owns it, and whether access is still justified.
• Machine Identity Lifecycle: Machine identity lifecycle is the governed process of creating, managing, reviewing, rotating, and retiring non-human identities over time. Unlike human lifecycle management, it must account for code, infrastructure, and automation paths that can keep identities alive long after their original purpose has ended.

Deepen your knowledge

NHI governance, machine identity security, and identity lifecycle management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM or security governance programme, it is worth exploring.

This post draws on content published by SPHERE: The Impact of the Exponential Growth of Non-Human Identities. Read the original.