How CISOs should prepare for 2025: NHI, ZTA, and supply chain risk

At a glance

What this is: This is Entro Security's 2025 CISO planning piece, and its core claim is that NHI sprawl, zero trust, compliance pressure, and third-party risk now define the security agenda.

Why it matters: IAM teams need to treat NHIs as a first-class governance problem because the same controls used for human access do not scale cleanly to secrets, service accounts, and delegated machine access.

By the numbers:

• NHIs outnumber human identities by 25x to 50x in modern enterprises.
• Only 5.7% of organisations have full visibility into their service accounts.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.

👉 Read Entro Security's 2025 CISO guidance on NHI, ZTA, and supply chain risk

Context

Non-human identity governance is now a baseline security problem, not a niche operational concern. Entro Security's 2025 planning note argues that NHIs, zero trust, compliance, and third-party access are converging into one governance challenge because machine credentials are everywhere and perimeter assumptions no longer hold.

The article also points to a broader shift in how security teams have to think about identity: access is no longer just a human authentication problem. When service accounts, API keys, and bot access expand faster than visibility and review processes, IAM programmes have to govern both credentials and the systems that issue, store, and rotate them.

Key questions

Q: How should security teams govern non-human identities in zero trust environments?

A: Start by treating every service account, API key, token, and certificate as a first-class identity with ownership, purpose, and expiry. Then enforce least privilege, continuous verification where feasible, and fast revocation when the task ends. Zero trust only works for NHIs when identity inventory and lifecycle controls are accurate enough to support it.

Q: Why do service accounts and API keys create so much supply chain risk?

A: They create supply chain risk because they often grant valid downstream access without requiring a human login. If a secret is embedded in code, shared with a vendor, or copied into a pipeline, it can be reused silently until someone revokes it. The real danger is delegated trust that outlives the original purpose.

Q: How do you know if NHI rotation and offboarding are actually working?

A: Look for evidence that secrets are retired quickly, owners can be identified immediately, and old credentials cannot still authenticate after the intended task ends. If you can only prove policy exists, not that credentials disappear on schedule, the programme is not operationally effective. Good evidence comes from lifecycle telemetry, not policy documents.

Q: Who is accountable when a third-party credential is misused?

A: Accountability sits with the organisation that issued or retained the credential, even when a third party held it. That means supplier review, permission scoping, and offboarding discipline must be built into the contract and the IAM process. If the secret can still work, the governance failure is still yours.

Technical breakdown

Why zero trust is harder to apply to NHI estates

Zero Trust Architecture assumes every identity can be continuously verified, scoped, and re-evaluated before access is granted. That is feasible in theory, but NHI estates often include API keys, service accounts, and tokens that are created outside normal user onboarding flows and then reused by applications, scripts, and pipelines. The technical challenge is not authentication alone. It is that machine identities often lack the lifecycle signals that human IAM depends on, such as interactive login, user context, or easy-to-audit ownership. Without that metadata, least privilege becomes a static guess rather than an enforceable runtime state.

Practical implication: Map every non-human credential to an owner, purpose, and expiry rule before trying to enforce zero trust at scale.

How secrets exposure turns into supply chain compromise

Supply chain risk rises sharply when credentials are embedded in code, configuration, or collaboration tools. In those cases, a single leaked secret can create delegated access that looks legitimate to downstream systems, because the compromise happens through valid identity material rather than noisy exploitation. That makes detection harder and response slower. The article's warning is less about malware and more about trust transfer: once a third party or automated process receives an NHI credential, the blast radius depends on what that secret can reach and how long it remains valid. The control failure is usually visibility plus over-scoping, not just theft.

Practical implication: Treat every externally shared secret as a supply chain dependency and restrict its permissions to the smallest possible task scope.

Why compliance automation must include NHI lifecycle controls

Compliance programmes often focus on policy coverage, but NHI risk sits in operational drift. If secrets are not rotated, access is not recertified, and offboarding is incomplete, the organisation can still appear compliant on paper while leaving active credentials in circulation. The technical issue is that machine identities are frequently managed in tooling silos, separate from human IAM and PAM processes. That separation breaks auditability because no single control plane can answer basic questions such as who owns a token, why it exists, or whether it should still be live. For NHI governance, compliance evidence has to be generated from lifecycle telemetry, not after-the-fact attestations.

Practical implication: Build NHI rotation, revocation, and ownership evidence into continuous compliance checks rather than periodic audit preparation.

Breaches seen in the wild

• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
• Reviewdog GitHub Action supply chain attack — reviewdog/action-setup GitHub Action supply chain attack exposed secrets.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

NHI sprawl has become a governance problem, not just an inventory problem. The article frames NHIs as a volume issue, but the deeper issue is control leakage across creation, use, and retirement. Once machine identities proliferate faster than ownership and review can keep up, governance becomes incomplete by design. Practitioners should treat identity sprawl as a lifecycle failure, not a discovery exercise.

Least privilege for machine identities is often defined too late to be meaningful. Static IAM models assume the actor's purpose is known at provisioning time and remains stable through use. That assumption holds poorly when service accounts, API keys, and automation tokens are distributed across pipelines and third parties. The implication is that entitlement design must move closer to runtime context and expiry discipline.

Access review processes were designed for identities that persist long enough to be reviewed. That assumption fails when secrets are created, consumed, and discarded across automated workflows before the next certification cycle begins. In practice, the review artefact arrives after the access state has already changed. Practitioners should recognise this as an assumption collapse in human-paced governance, not a control tuning issue.

Ephemeral credential trust debt: the longer a secret survives outside its intended task, the more organisational risk accumulates even if no alert is raised. This is visible in environments where secrets sit in code, chat, or CI/CD tools after the original purpose is gone. The practical conclusion is that rotation, revocation, and ownership evidence need to be treated as core identity controls, not operational extras.

Security programmes that separate human IAM from NHI governance are already behind the threat model. Entro Security's article reflects a broader market truth: identity security is becoming cross-domain, with machine identities, third parties, and compliance obligations now intersecting in the same workflows. The practitioner takeaway is to unify governance reporting before risk is split across different teams and tools.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
• We also found that 91.6% of secrets remain valid five days after the targeted organisation is notified, which shows how slowly remediation often moves.
• For teams building a broader machine-identity programme, the Ultimate Guide to NHIs , 2025 Outlook and Predictions is the natural next step.

What this signals

With NHIs already outnumbering human identities by 25x to 50x in modern enterprises, identity programmes that still centre human login flows will continue to undercount their real attack surface. The practical shift is toward ownership, lifecycle evidence, and continuous visibility across machine credentials, not just user accounts.

Identity blast radius: teams should measure how far a single secret can reach before it is rotated or revoked. That metric is becoming more useful than raw inventory counts because it reflects both delegation depth and the speed at which compromise can spread.

For practitioners, the next step is to align NHI governance with zero trust language and control evidence. The NIST Cybersecurity Framework 2.0 is a useful anchor for that conversation because it forces teams to connect governance, protection, detection, and recovery to specific identity operations.

For practitioners

• Inventory machine identities across code, pipelines, and collaboration tools Build a complete map of service accounts, API keys, tokens, and certificates, including where they are stored and which systems depend on them. Use the inventory to establish named ownership and retirement criteria.
• Tie every NHI credential to an owner and expiry rule Require a business or technical owner for every secret, plus a documented reason for existence and a revocation trigger. This makes lifecycle governance auditable instead of relying on tribal knowledge.
• Reduce blast radius on third-party access tokens Constrain externally shared credentials to a single task, shortest feasible lifetime, and the narrowest reachable systems. Review third-party NHI exposure as part of supplier risk, not only application onboarding.
• Use continuous rotation and revocation evidence for compliance Automate secret rotation where possible and capture proof of revocation for offboarding, recertification, and exception handling. That evidence should feed compliance reporting continuously rather than only at audit time.

Key takeaways

• NHI governance now sits at the centre of CISO planning because machine identities, not just users, carry the most operational trust.
• Visibility and lifecycle control remain weak in most organisations, which means compliance and zero trust efforts can look stronger on paper than they are in practice.
• Teams that want to reduce risk in 2025 need to manage ownership, rotation, offboarding, and third-party scope as one identity programme.

Key terms

• Non-Human Identity: A non-human identity is a machine or software identity used by applications, services, workloads, or automation rather than a person. It includes service accounts, API keys, tokens, and certificates. In governance terms, it needs ownership, lifecycle control, and least privilege just like human access does.
• Secret Rotation: Secret rotation is the process of replacing credentials so old values stop working and new ones take over. For NHIs, rotation is a control for reducing the useful life of exposed credentials. It matters most when secrets are embedded in code, shared externally, or reused across systems.
• Zero Trust Architecture: Zero Trust Architecture is a security model that assumes no identity or network location is trusted by default. Access is continuously evaluated using identity, context, and policy. For NHIs, the challenge is applying that model to credentials that are non-interactive, widely distributed, and often hard to inventory.
• Identity Blast Radius: Identity blast radius is the amount of access and downstream reach a single credential or account can expose if misused. For NHIs, it is often larger than teams expect because secrets can unlock services, pipelines, and third-party connections. Reducing it requires scope minimisation and faster revocation.

What's in the full article

Entro Security's full blog covers the operational detail this post intentionally leaves for the source:

• The article's full treatment of zero trust controls for NHIs across code, repositories, and collaboration tools
• The vendor's practical compliance checklist for SaaS, fintech, and healthcare identity environments
• The supply chain risk discussion around third-party NHI exposure and delegated access patterns
• The closing perspective on how CISOs should prioritise 2025 security work across identity, compliance, and automation

👉 Entro Security's full post expands on the NHI inventory, compliance, and third-party risk themes in more operational detail.

Deepen your knowledge

NHI governance, zero trust, and lifecycle control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a programme around machine identities and delegated access, it is a practical place to start.