Identity and access governance is failing cloud-native NHI oversight

At a glance

What this is: This is an explanation of identity and access governance, with a strong focus on why cloud-native non-human identities are stretching traditional IGA models.

Why it matters: It matters because IAM, IGA, PAM, and cloud security teams now have to govern identities that appear, change, and disappear faster than human-led review cycles can track.

By the numbers:

• 57% of organizations experienced at least one API-related breach over the past two years.
• 73% of those organizations saw three or more incidents.
• Machine identities outnumber humans by over 80 to 1.

👉 Read Apono's analysis of identity and access governance for cloud-native NHIs

Context

Identity and access governance, or IGA, is the discipline that decides who should have access, whether that access is still appropriate, and whether the organisation can prove it. In cloud-native environments, that question now extends far beyond employees because APIs, service accounts, containers, and automation agents request credentials constantly, and many of them outlive the controls built to govern them.

The problem is not a lack of identity controls. It is that many programmes still treat governance as a periodic review exercise while production systems operate on minutes, not quarters. That mismatch is most visible in NHI governance, where static permissions, long-lived keys, and fragmented cloud visibility create audit gaps and operational blind spots.

Key questions

Q: How should security teams govern non-human identities in cloud-native environments?

A: Security teams should govern non-human identities with the same lifecycle discipline used for people, but with controls tuned for machine speed. That means owning provisioning, reviewing effective permissions, rotating credentials, and enforcing offboarding automatically. JIT access and short-lived credentials help, but only if entitlement scope is tight enough to avoid standing privilege.

Q: Why do service accounts create more governance risk than many teams expect?

A: Service accounts often persist long after the workflow that created them has changed, which makes them easy to forget and hard to certify. When they carry broad permissions, they become standing access paths that bypass normal human review cycles. The risk is not that they exist, but that no one can prove they still need the access they hold.

Q: What breaks when access reviews are used to govern ephemeral workloads?

A: Access reviews break when the identity lifespan is shorter than the review cycle. A quarterly certification process cannot reliably govern a container, token, or serverless function that lives for minutes or hours. In that model, the review validates a stale snapshot instead of the access that actually existed in production.

Q: Who is accountable when a non-human identity is left overprivileged?

A: Accountability should sit with the business or technical owner named for that identity, not with the cloud platform itself. If no owner exists, the organisation has already lost governance. Frameworks such as NIST CSF and Zero Trust both assume access can be identified, reviewed, and limited, which requires a clear owner for every machine identity.

Technical breakdown

Why cloud-native IGA breaks under ephemeral identities

Cloud-native platforms create identities that exist only for a short operational window. Containers, serverless functions, and automation jobs may spin up, request a token, perform a task, and disappear before a quarterly access review even starts. Traditional IGA assumes identities are stable enough to be catalogued, certified, and retired on a human schedule. That assumption fails when the identity is temporary but still powerful. The result is governance drift, where access exists in production but not in the records used to certify it.

Practical implication: move from periodic certification to time-bound governance that can record and revoke short-lived access while it is still active.

How role and entitlement sprawl undermines least privilege

Cloud providers expose thousands of discrete actions across services, which makes precise role design difficult. Teams often solve that complexity by granting broad permissions and revisiting them later, but later frequently never arrives. In IGA terms, the issue is not just excess access. It is unmanaged entitlement composition, where individually reasonable permissions combine into toxic privilege paths. Once those paths exist, access reviews only validate the sprawl instead of reducing it. PAM can narrow the highest-risk accounts, but it does not fix broad entitlement design across the rest of the identity estate.

Practical implication: inventory effective permissions, not just assigned roles, and remove entitlements that create avoidable privilege combinations.

Why NHI lifecycle governance needs different controls than human IAM

NHIs rarely join, move, or leave through the same workflows as employees, which is why standard lifecycle processes miss them. Service accounts and automation identities are often created in code, reused across environments, and left behind when projects end. That makes deprovisioning the key governance failure point, not password reset or login assurance. In practice, lifecycle governance for NHIs has to cover provisioning, review, rotation, and offboarding as a continuous system. Without that, forgotten credentials become standing access and eventually become backdoors.

Practical implication: treat NHI lifecycle as a first-class governance process with ownership, review triggers, and offboarding checkpoints.

Threat narrative

Attacker objective: The attacker aims to turn unmanaged machine access into persistent cloud reach and, ultimately, data exposure or administrative control.

1. Entry occurs when attackers target exposed API keys, long-lived tokens, or other non-human credentials that are easier to find than human accounts.
2. Escalation follows when overprivileged service accounts or automation identities are abused to move from a single foothold to wider cloud access.
3. Impact comes when unmanaged credentials are used to read data, reset access, or traverse environments with weak segregation between workloads.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Standing access is the core governance failure in cloud-native identity programmes. The article shows that static permissions cannot keep pace with identities that are created for a task and vanish moments later. That is not a tooling issue alone, it is a governance mismatch between review cycles and runtime reality. Practitioners should treat standing access as an architectural debt in both IGA and NHI programmes.

Machine identity governance is no longer a niche problem, it is the baseline identity problem in cloud environments. When machine identities outnumber humans by more than 80 to 1, human-centric governance models cease to describe the actual risk surface. Access reviews that focus on employees can still pass while the largest share of effective access remains unreviewed. Practitioners should re-centre governance on the identities that actually execute production work.

Ephemeral credential trust debt is the right name for the problem this article describes. Temporary access reduces duration, but it does not solve the trust assumptions that let broad access exist in the first place. If the underlying entitlement model is too coarse, then shorter lifetimes only compress the window of misuse. Practitioners should see JIT and JEP as controls for exposure reduction, not as substitutes for entitlement discipline.

IGA, PAM, and IAM are converging around one operational question: who or what can still act right now? The article is strongest when it ties auditability, approval, and runtime enforcement back to the same access decision. That convergence matters because separate tools often produce separate truths. Practitioners should pursue a single governance view across human users, service accounts, and automation identities.

Cloud-native governance must assume failure at the entitlement boundary, not just at the login boundary. The post correctly distinguishes enforcement from oversight, and that distinction is where many programmes break. Login success does not prove access is appropriate, and access certification does not prove entitlement composition is safe. Practitioners should align controls to the full lifecycle of access, not only to authentication events.

From our research:

• Machine identities outnumber humans by over 80 to 1, according to The 2024 Non-Human Identity Security Report.
• Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities.
• For a broader lifecycle lens, review the Ultimate Guide to NHIs for how governance, rotation, and offboarding fit together across the identity estate.

What this signals

Ephemeral credential trust debt is what many cloud programmes are carrying without naming it. JIT reduces exposure windows, but it does not fix the entitlement model that allowed broad access in the first place, so teams need to watch for hidden privilege paths as they harden runtime controls.

With machine identities already outnumbering humans by over 80 to 1, per The 2024 Non-Human Identity Security Report, the operational centre of gravity has shifted. IAM teams should expect NHI lifecycle, PAM, and cloud governance to merge into a single control problem.

Practitioners should prepare for audit demands that ask for proof of who approved access, when it expired, and which identity consumed it. That evidence chain is becoming as important as the access decision itself, which makes centralised logging and lifecycle ownership mandatory rather than optional.

For practitioners

• Map effective permissions across cloud accounts Inventory what each service account, token, and automation identity can actually do across AWS, Azure, and GCP, then compare that to the approved role model. The goal is to expose privilege paths that role names hide, especially where cross-cloud entitlements create toxic combinations.
• Replace periodic reviews with time-bound access controls Use JIT and JEP policies for identities that operate in pipelines, serverless functions, and short-lived workloads. If access must exist, constrain it to a task-specific duration and make revocation automatic when the task ends.
• Assign lifecycle ownership to every non-human identity Require a named owner for provisioning, rotation, recertification, and offboarding of each service account, API key, token, or certificate. Forgotten credentials become permanent backdoors when no one is accountable for their removal.
• Align PAM to high-risk machine access, not just admins Extend privileged session controls to the non-human identities that can reset passwords, modify policies, or move between environments. High-risk machine credentials need the same scrutiny as human administrative access.
• Unify audit evidence across identities and clouds Generate logs that show who approved access, when it expired, and which identity consumed it, then centralise those records for audit and incident response. Fragmented console reporting leaves gaps that governance teams cannot defend.

Key takeaways

• Cloud-native IGA fails when it tries to govern identities that are faster than its review cycles.
• Machine identities now dominate the access estate, so human-first governance leaves the largest risk class undercontrolled.
• Time-bound access, entitlement cleanup, and named lifecycle ownership are the controls that turn NHI governance into an auditable process.

Key terms

• Identity And Access Governance: Identity and access governance is the discipline that decides whether access should exist, who approved it, and whether it remains appropriate over time. It sits above runtime enforcement by focusing on accountability, certification, and auditability across human and non-human identities.
• Non-Human Identity: A non-human identity is a machine, workload, service account, token, certificate, or automation identity used to authenticate and act in systems. In cloud environments, these identities often outnumber people and require their own lifecycle, ownership, and review controls.
• Just-In-Time Access: Just-in-time access is a time-bound access model that grants privileges only when a task requires them and removes them automatically afterward. For non-human identities, the control only works if the task scope and entitlement set are both tightly constrained.
• Just-Enough Privilege: Just-enough privilege is the practice of giving an identity only the minimum permissions needed for a specific action. For machine identities, the challenge is not only reducing rights, but ensuring those rights cannot be recombined into broader access than intended.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Apono: Identity and Access Governance (IGA): Definition & Differentiation Explained. Read the original.