Hydden’s identity visibility pitch raises NHI governance questions

At a glance

What this is: This is a short Hydden resource note arguing that undiscovered identities in enterprise environments are a visibility and governance problem.

Why it matters: It matters because IAM, IGA, PAM, and NHI programmes all fail when identities exist outside ownership, review, and revocation workflows.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.

👉 Read Hydden's post on identity visibility and hidden identities in enterprise environments

Context

Identity visibility is the starting point for any credible non-human identity programme, because you cannot govern accounts you cannot see. In practice, discovery only becomes useful when it connects to ownership, lifecycle status, and entitlement review, especially for service accounts, API keys, and other secrets-bearing identities.

Hydden’s post reflects a familiar market pattern: vendors are increasingly framing hidden identities as an observability problem, while practitioners still have to turn that visibility into control. The gap is not simply finding more identities. It is deciding which ones matter, who owns them, and how they are offboarded or rotated once found.

Key questions

Q: How should teams turn identity discovery into actual NHI risk reduction?

A: Discovery should feed an ownership and remediation workflow, not a reporting dashboard. Every found identity needs a business owner, a valid use case, and a path to rotation or removal if it is dormant, overprivileged, or undocumented. The goal is to convert visibility into governed state, not simply count more assets.

Q: Why do hidden service accounts become a governance problem so quickly?

A: Hidden service accounts become a governance problem because they often persist with standing privilege and no clear owner. Once an identity exists outside review and offboarding processes, it can accumulate access that no one can confidently justify. That creates unmanaged attack surface and weak accountability across IAM, IGA, and PAM.

Q: What is the difference between identity visibility and identity governance?

A: Identity visibility tells you what exists. Identity governance tells you who owns it, what it can access, how long it should live, and when it must be removed or recertified. A programme can be highly visible and still be poorly governed if discovered identities are not tied to lifecycle controls.

Q: Which frameworks are most relevant for hidden NHI management?

A: NHI discovery and remediation align closely with the OWASP Non-Human Identity Top 10 and the NIST Cybersecurity Framework 2.0. For practitioners, the key is to map discovery findings to access control, inventory, and remediation processes so hidden identities become governed assets rather than residual risk.

Technical breakdown

Identity discovery and shadow NHI inventories

Discovery tools typically enumerate accounts, keys, tokens, certificates, and service principals across cloud, code, and tooling. That inventory is useful only if it can normalise identity objects into a single view that shows where credentials live, what they can access, and whether they are active, dormant, or orphaned. Without that context, discovery produces noise rather than governance data. The architectural challenge is that many environments distribute NHI data across IAM, secrets managers, CI/CD, SaaS platforms, and application code, so no single system has complete native visibility.

Practical implication: require discovery output to map into ownership and lifecycle workflows, not just dashboards.

Why visibility alone does not reduce NHI risk

Visibility is a detection capability, not a control outcome. An organisation can know that a service account exists and still leave it overprivileged, unrotated, or unmanaged. That is why NHI programmes need a second layer that links discovery to policy enforcement, entitlement review, and remediation. The NHI risk pattern is simple: the longer an unseen identity persists, the more likely it is to accumulate access that no one can confidently justify.

Practical implication: tie every discovered identity to an owner, a use case, and a removal path.

Lifecycle management after discovery

Once hidden identities are found, the next technical question is whether they can be rotated, scoped down, or retired without breaking dependent systems. This is where many programmes fail, because discovery exposes technical debt faster than teams can resolve it. Mature lifecycle management treats inventory as the first step in a control chain that includes provisioning standards, credential rotation, and offboarding. That chain is what converts visibility into lower attack surface.

Practical implication: build remediation runbooks for discovered identities before scaling discovery across the estate.

Threat narrative

Attacker objective: The objective is to exploit unmanaged identity sprawl to gain durable access beyond the visibility boundary of the organisation.

1. entry: Hidden service accounts, API keys, and tokens enter the environment through code, configuration, CI/CD systems, or third-party integrations.
2. escalation: Once discovered or reused, those credentials can carry standing privilege that exceeds the task they were meant to support.
3. impact: Attackers or insiders can move laterally, access sensitive systems, or persist through identities that were never fully governed.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Google Firebase misconfiguration breach — Firebase misconfigurations exposed 19.8M secrets across developer instances.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Hidden identity discovery is only a partial control because visibility does not equal governance. The market often treats inventory as the finish line, but discovery is only the point where risk becomes knowable. Without ownership, lifecycle status, and revocation authority, the organisation has a map of the problem but no mechanism to reduce it. Practitioners should treat discovery as intake to governance, not as the governance result.

Shadow NHI exposure is a lifecycle failure, not just an observability gap. Service accounts, API keys, and tokens persist because they are created faster than they are reviewed, rotated, or retired. That means hidden identities are usually a symptom of weak joiner-mover-leaver discipline applied to machines, not a separate category of risk. The implication is that identity programmes must govern machine accounts with the same discipline they apply to human access lifecycles.

Identity blast radius is the right concept for hidden-machine-account risk. When discovery reveals hundreds or thousands of unmanaged identities, the question is not how many exist but how far each one can reach. Excess privilege, third-party exposure, and dormant credentials turn discovery findings into attack surface expansion. Practitioners should use blast radius as the metric that connects inventory to prioritisation.

NHI visibility programmes will increasingly converge with PAM and IGA governance. The operational reality is that machine identities do not stay contained inside one control domain. Inventory, entitlement review, secrets hygiene, and offboarding all have to work together or the hidden-identity problem simply migrates. That is the direction the market is heading, and it rewards programmes that can link discovery to control enforcement.

The strongest identity programmes will measure unmanaged identity reduction, not tool coverage. A dashboard showing more accounts is not a success signal if the accounts remain orphaned or overprivileged. The field is moving toward accountability for identity state, not just detection of identity existence. Practitioners should judge programmes by how much hidden access they can actually eliminate.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• For deeper lifecycle context, see NHI Lifecycle Management Guide for the provisioning, rotation, and offboarding steps that turn discovery into control.

What this signals

Identity discovery is becoming a forcing function for NHI lifecycle discipline. The practical signal for security leaders is not how many hidden identities they can surface, but whether those identities can be assigned, reviewed, and removed without manual fire drills. Programmes that stop at visibility will keep creating inventory without reducing exposure, especially where service accounts sit outside standard IAM ownership models.

The market is moving toward a tighter coupling between discovery, secrets management, and governance workflows, because unmanaged identity state is now a board-level risk marker. Teams that can connect discovery output to lifecycle controls will have a clearer path to lower attack surface, while those that cannot will keep inheriting shadow access across cloud and SaaS estates.

For practitioners

• Link discovery to identity ownership Require every newly discovered service account, API key, or token to resolve to a named system owner and a business purpose before it is left in production.
• Prioritise high-blast-radius identities first Triage discovered identities by privilege scope, third-party exposure, and dependency count so remediation starts with the credentials that can reach the most systems.
• Create offboarding runbooks for machine identities Define how to revoke, rotate, or retire identities found through discovery so the remediation path exists before the next inventory cycle.
• Measure reduction in unmanaged access Track how many identities move from unknown or orphaned status into reviewed, owned, and governed states each month, then use that trend to set priorities.

Key takeaways

• Hidden identities are not just a visibility issue. They become a governance failure when ownership, rotation, and offboarding are missing.
• Service accounts and secrets outside formal management create a durable attack surface that discovery alone cannot close.
• Practitioners should measure success by how many unmanaged identities are reduced, not by how many are merely found.

Key terms

• Shadow NHI: A shadow NHI is a non-human identity that exists in the environment without formal ownership, lifecycle tracking, or governance. It may be a service account, API key, token, or certificate that was created for a task and later forgotten, leaving persistent access outside normal control.
• Identity Discovery: Identity discovery is the process of finding and cataloguing machine and human identities across cloud, code, SaaS, and infrastructure. In NHI programmes, discovery is only valuable when it feeds ownership, entitlement review, rotation, and removal workflows that reduce exposure.
• Identity Blast Radius: Identity blast radius is the amount of damage an identity can cause if it is misused, stolen, or left unmanaged. For non-human identities, blast radius is driven by privilege scope, dependency count, and third-party exposure, making it a practical way to prioritise remediation.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.

This post draws on content published by Hydden: Dark Reading: Startup Finds Hydden Identities IT Environment. Read the original.