Governing 90+ non-human identities requires graph-based access control

At a glance

What this is: The article argues that governing non-human identities at scale requires an access graph that normalizes machine identity types, ownership, permissions, and secrets hygiene across environments.

Why it matters: For IAM and NHI practitioners, the message is that inventory without ownership and effective-permission analysis leaves the largest access risks untouched.

By the numbers:

• The access graph models over 90 non-human identity types across clouds, data platforms, SaaS, and CI/CD pipelines.

👉 Read Veza's analysis of governing 90+ non-human identities

Context

Non-human identity governance fails when teams treat service accounts, API keys, tokens, and automation roles as separate inventory problems instead of a single access problem. The primary keyword here is non-human identity governance, because the real control gap is not whether an account exists, but whether its owner, permissions, and secrets behaviour are visible enough to prove what it can do.

Veza frames the answer around an access graph that normalizes machine identities across clouds, data platforms, SaaS, and CI/CD pipelines. That approach matters because IAM programmes usually have the inventory, but not the permission context needed to decide which identities are unowned, over-scoped, or still carrying standing access. For the broader NHI control model, see the Ultimate Guide to NHIs.

Key questions

Q: How should security teams govern non-human identities at scale?

A: Start with ownership, effective permissions, and secret lifecycle data in one control view. Teams should not rely on inventory alone, because a machine identity is risky when nobody owns it, its permissions exceed the task, or its credentials stay valid long after use. The right model is continuous review of blast radius, not quarterly paperwork.

Q: What is the difference between NHI inventory and NHI governance?

A: Inventory tells you what exists. Governance tells you who owns it, what it can reach, whether its credentials are still valid, and whether those permissions are justified. Many programmes stop at discovery, but the real risk appears when an identity has hidden inheritance, stale keys, or no accountable owner. Governance is control, not counting.

Q: When do machine identities create more risk than they reduce?

A: They become net risk when standing access, weak ownership, and long-lived secrets are treated as normal operating conditions. If the identity can reach sensitive systems but no one can explain its purpose or review its access on a schedule, the automation is creating trust debt faster than it is creating efficiency.

Q: Why do non-human identities complicate zero trust and least privilege?

A: Because machine access is often persistent, inherited, and spread across platforms that encode permissions differently. Zero trust depends on continuous verification, but NHIs frequently carry reusable secrets and broad scopes that outlive the task. Least privilege only works when teams can see the identity’s full reach and remove excess access quickly.

Technical breakdown

Why access graphs matter for non-human identity governance

An access graph is a relationship model that connects an identity to its owners, entitlements, environments, and data paths. For NHIs, that matters because the same object can appear as a Snowflake role, a GitHub App, a Salesforce integration user, or a CI/CD token, each with different semantics and blast radius. Normalization lets security teams ask consistent questions about effective permissions instead of just checking whether an account exists. The technical value is context: the graph shows not only assignment, but what the identity can actually reach after inheritance, group membership, and downstream trust chains are applied.

Practical implication: Use relationship data to identify the few NHIs whose effective permissions create the largest blast radius.

Secrets hygiene and privilege drift in machine identities

Machine identities depend on secrets, keys, and certificates that often outlive the business process they support. Drift appears when tokens are not rotated, credentials remain valid after use stops, or permissions accumulate as teams patch workflows over time. The article’s key point is that secrets hygiene is not a separate hygiene task, it is part of access control because credential age and usage directly change risk. When teams model secrets as first-class objects, they can tie last use, rotation state, and policy exceptions back to the identity that owns the credential.

Practical implication: Track last use and rotation state for every secret, then prioritize the credentials that still have production reach.

Ownership as a control, not a document

Ownership is what turns an unidentified machine identity into a governable one. In practice, that means each NHI needs a named human accountable for review cadence, entitlement changes, and credential policy. Without ownership, access reviews become paperwork because nobody can approve remediation or explain why an identity still exists. The control logic is simple: classify the identity, assign the owner, define the purpose, then constrain access to that purpose. That is the difference between posture reporting and actual governance.

Practical implication: Require a named owner before allowing any NHI to retain privileged or data-writing access.

Threat narrative

Attacker objective: The attacker objective is to exploit a machine identity’s hidden reach to access data, expand scope, and preserve persistence through trusted automation paths.

1. Entry occurs when attackers steal or reuse long-lived machine credentials that were never rotated or were exposed in a build, code, or integration path.
2. Escalation follows when over-scoped service accounts or automation roles inherit permissions beyond the task they were meant to perform.
3. Impact lands when the compromised identity writes to regulated data, moves laterally through connected systems, or triggers broad key rotation and incident response.

Breaches seen in the wild

• Dropbox Sign breach — compromised Dropbox Sign service account exposed API keys and OAuth tokens.
• Google Firebase misconfiguration breach — Firebase misconfigurations exposed 19.8M secrets across developer instances.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Access graph governance is becoming the operating model for NHI control. The article is right to move beyond asset inventory and toward relationship-based access reasoning. NHIs are not governed by counting objects alone, because effective privilege emerges from inheritance, trust links, and stale secrets that traditional review workflows miss. Practitioners should treat graph-based visibility as the minimum viable control plane for machine identities.

Ownership is the missing enforcement layer in most NHI programmes. Unowned service accounts and integration users are not just hygiene issues, they are governance failures because no one can accept risk or remediate drift on schedule. A durable programme assigns accountability before it optimises rotation, because the best policy still fails when no human is answerable for the identity.

Secret age is a governance signal, not just a security metric. Long-lived credentials tell you more about process failure than about technical weakness alone. If a token survives multiple release cycles, the organisation has already normalised standing trust in its automation. Practitioners should use secret lifetime, last use, and exception count as board-visible indicators of control quality.

Identity blast radius is the right lens for machine access review. The practical question is not whether an NHI exists, but how much damage it can do if compromised. That shifts teams from periodic certification to continuous effective-permission analysis, which is where modern NHI governance should land.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• For a lifecycle view of the same problem, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for provisioning, rotation, and offboarding guidance.

What this signals

Identity blast radius: the category is shifting from simple discovery to continuous permission reasoning, which means programmes will be judged on how quickly they can answer what an NHI can actually reach. If your team still reports only counts, it will struggle to prioritise remediation where the exposure is most material. The practical shift is toward graph-backed reviews that surface effective access, not just object existence.

The operating pressure will come from machine identities that are hard to classify, hard to own, and easy to leave untouched after deployment. In that environment, NIST Cybersecurity Framework 2.0 becomes useful not as a slogan but as a structure for governance, identification, and response. Teams that align NHI work to lifecycle controls now will reduce exception debt later.

For practitioners

• Map effective permissions for all high-risk NHIs Prioritize service accounts, automation roles, and integration users that can write to regulated data or administer tenant-wide scopes. Use effective-permission analysis, not only static role lists, so inherited access and downstream trust are visible.
• Assign a named human owner to every privileged machine identity Block privileged access reviews for any NHI without a person accountable for purpose, review cadence, and remediation decisions. A distribution list is not ownership, because it cannot approve change or explain exceptions.
• Track secret age, last use, and overdue rotation together Treat rotation status as a control variable, not a hygiene checkbox. Compare last use with policy age limits so you can retire stale credentials first and avoid prioritising low-risk secrets that are inactive.
• Build an NHI review queue around blast radius Group identities by the systems and data they can reach, then review the ones with admin scope or production write access first. This keeps the team focused on identities that can cause material impact if compromised.

Key takeaways

• Non-human identity governance fails when teams can name accounts but cannot explain effective access, ownership, and secret state.
• The scale problem is structural, because over-privilege and stale credentials turn machine identities into high-blast-radius assets.
• Practitioners should use graph-based visibility, named ownership, and rotation evidence as the minimum control set for NHI governance.

Key terms

• Access Graph: An access graph is a relationship map that connects identities, entitlements, owners, environments, and data paths. For NHI governance, it turns scattered account records into a view of effective reach, making it easier to spot over-privilege, hidden trust links, and stale access that inventory tools miss.
• Effective Permission: Effective permission is the real access an identity has after roles, inheritance, group membership, and policy layers are all applied. It matters because the stored entitlement set often understates what a service account or automation role can actually do across connected systems.
• Identity Blast Radius: Identity blast radius is the amount of damage a compromised identity can cause based on its reachable systems, data, and administrative scope. It is a practical NHI risk measure because it helps teams prioritise the accounts that would create the largest incident if misused.

Deepen your knowledge

Non-human identity governance and lifecycle control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is trying to move from inventory to enforceable control, it is worth exploring.

This post draws on content published by Veza: All the Keys, Visualized: Governing 90+ Non-Human Identities. Read the original.