Identity governance now has to cover human and non-human access

At a glance

What this is: This is a SafePaaS analysis of identity governance, arguing that access decisions must cover both human identities and NHIs across modern enterprise environments.

Why it matters: It matters because IAM teams need governance controls that can certify, revoke, and prove access for service accounts and AI agents, not just employees.

👉 Read SafePaaS's analysis of identity governance for human and non-human access

Context

Identity governance is the layer that decides who or what should have access, why that access exists, and when it should be removed. In modern environments, that question now extends to NHIs such as service accounts, API keys, certificates, and AI agents, which often outnumber human identities and are harder to review manually.

The governance gap is not technical authentication alone. It is the absence of a repeatable way to approve, certify, and revoke access across ERP, SaaS, cloud, and business applications, which is why identity governance has become central to NHI management rather than a separate compliance function.

Key questions

Q: How should organisations govern non-human identities alongside employee access?

A: Organisations should govern NHIs with the same discipline used for human access, but with stronger lifecycle ownership and expiry controls. That means inventorying service accounts, tokens, certificates, and agents, assigning business ownership, and tying every entitlement to a documented purpose. Governance is incomplete if machine access cannot be approved, certified, and removed on demand.

Q: What is the difference between IAM and identity governance?

A: IAM enforces access at runtime, while identity governance decides which access should exist in the first place and whether it remains appropriate. IAM handles authentication and permission checks. Governance handles policy, approvals, certifications, segregation of duties, and revocation. Both are needed, but governance is what makes access defensible to auditors and risk teams.

Q: Why do AI agents create new identity governance risks?

A: AI agents create new risk because they can act with delegated authority, access multiple systems, and take actions without a human reviewing every step. That makes their permissions harder to certify and their blast radius harder to predict. Organisations need policy boundaries, ownership, and traceability before agents are allowed to operate broadly.

Q: When should access reviews move beyond calendar-based certification?

A: Access reviews should move beyond calendar-based certification when identities change frequently, when workflows are automated, or when privileged access can persist after a project ends. Lifecycle-triggered reviews are more reliable because they react to role changes, pipeline changes, and offboarding events. That approach reduces orphaned access and catches drift sooner.

Technical breakdown

How identity governance differs from runtime IAM

Identity governance sits above runtime enforcement. IAM handles login, MFA, and application-level permission checks, while governance defines which access should exist, who approved it, whether duties conflict, and when entitlements should expire. That separation matters because a system can authenticate perfectly and still expose excessive or stale access if governance is weak. For NHIs, the same pattern applies to service accounts and AI agents: credentials may work as designed while the underlying access model drifts away from policy. Practical implication: treat governance as the policy layer that constrains IAM, not as a reporting afterthought.

Practical implication: Map approvals, certifications, and revocations to the governance layer, then enforce them in IAM and application controls.

Why NHIs complicate access certification and SoD

Non-human identities do not behave like employees. They may be created by pipelines, embedded in applications, used by integrations, or left behind after a project ends. That makes access certification harder because reviewers often lack business context for a service account or API token, and segregation of duties checks must account for machine-to-machine workflows as well as human approval chains. Without lifecycle controls, orphaned credentials and role creep persist long after the original purpose disappears. Practical implication: extend certifications and SoD rules to NHIs with ownership, purpose, and expiration metadata.

Practical implication: Require business owners for NHIs and review machine entitlements on the same cadence as privileged human access.

Policy-based governance across SaaS, ERP, and AI agents

The architectural challenge is not one application. It is consistent policy across many systems with different entitlement models. Policy-based identity governance centralises rules so access can be evaluated against roles, risk, and conflicts across ERP, SaaS, databases, and agentic workflows. That becomes essential when AI agents can act with delegated authority, because their access needs to be bounded by the same least-privilege logic used for human users. Practical implication: define policy once, then propagate it across identity sources and workload identities.

Practical implication: Use one policy model for users, service accounts, and AI agents so access drift is visible across environments.

Threat narrative

Attacker objective: The attacker wants durable access that survives normal review cycles and can be used without immediate detection or accountability.

1. Entry occurs when overprivileged or orphaned non-human credentials remain active after the original workflow changes.
2. Escalation follows when those credentials can reach multiple systems or perform toxic combinations of actions without timely review.
3. Impact is realised through fraud, data exposure, or untraceable changes because the organisation cannot explain why the access still existed.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity governance is becoming the control plane for NHI risk. Authentication proves an identity can log in, but governance proves the identity should still have that access. As NHIs multiply across cloud, SaaS, and automation workflows, the governance question becomes more important than the login event. Practitioners should treat approvals, certifications, and revocations as first-class security controls.

Machine identities expose the limits of human-centric access review. A service account or AI agent rarely has a manager who understands its full blast radius, so traditional recertification workflows miss stale or excessive entitlements. Governance programmes that fail to assign ownership and purpose to NHIs will accumulate access debt. Practitioners need lifecycle metadata, not just inventory.

Policy-based access is the only scalable answer when identities span ERP, cloud, and agents. Ad hoc role assignment cannot keep pace with hybrid systems and delegated machine actions. The governance model must express least privilege once and apply it consistently across users and NHIs. Practitioners should standardise policy enforcement before AI agents become another unmanaged access class.

Identity governance and AI governance are converging. As autonomous systems gain execution authority, the same controls used for human access will need to constrain machine decision paths, data reach, and privilege boundaries. That does not mean AI gets special treatment; it means governance becomes identity-agnostic. Practitioners should plan for a single governance model that covers people, service accounts, and agents alike.

Auditability is now a design requirement, not a reporting output. If teams cannot reconstruct who approved access, why it was granted, and when it was removed, the control is incomplete. Auditors will continue asking for evidence, but security teams should treat evidence generation as part of the access lifecycle. Practitioners should build traceability into every entitlement decision.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which means most governance programmes still cannot certify machine access with confidence.
• That visibility gap is why teams should pair policy review with lifecycle controls in Ultimate Guide to NHIs - Lifecycle Processes for Managing NHIs, not rely on manual review alone.

What this signals

Identity governance programmes that stop at employee access will miss the largest operational risk surface. NHIs are now embedded in application workflows, integration paths, and AI systems, which means governance must shift from user administration to identity lifecycle control. With NHIs outnumbering human identities by 25x to 50x, the reader's programme needs machine ownership, expiry, and recertification built in from the start.

Access review will become more valuable when it is tied to events instead of dates. A calendar campaign cannot keep pace with pipeline changes, role changes, or agent behaviour. Practitioners should use lifecycle signals, then anchor policy decisions to NIST Cybersecurity Framework 2.0 functions for govern and protect.

Identity governance is converging with Zero Trust and NHI policy design. That means access should be continuously justified, not permanently assumed, especially where machine identities can act at scale. Teams that already align to NIST SP 800-207 Zero Trust Architecture should extend the same logic to service accounts and AI agents.

For practitioners

• Extend governance scope to NHIs and agents Inventory service accounts, API keys, certificates, and AI agents alongside human users, then assign business ownership, purpose, and expiry to each identity. This is the minimum structure needed to make access review and offboarding defensible.
• Separate approvals from enforcement Use a policy layer for request, approval, certification, and revocation, then push the resulting entitlements into IAM and application controls. This reduces spreadsheet-driven exceptions and keeps governance decisions auditable.
• Automate toxic access checks Continuously evaluate segregation of duties conflicts and high-risk combinations across ERP, SaaS, and cloud systems, including machine-to-machine paths. Focus on preventing access combinations that can enable fraud or unauthorised changes.
• Build recertification around lifecycle events Trigger reviews on role change, application change, pipeline change, and offboarding rather than relying only on calendar-based campaigns. NHIs change silently, so lifecycle-driven review catches risk earlier.

Key takeaways

• Identity governance is no longer just an audit function, because NHIs now carry real operational and security risk.
• Machine identities need ownership, purpose, and expiry or they will keep accumulating access that no one can defend.
• The practical response is policy-driven lifecycle control that spans people, service accounts, and AI agents.

Key terms

• Identity Governance: Identity governance is the discipline that decides which identities should have access, why that access exists, and when it should be removed. It combines policy, review, approval, certification, and revocation so access remains auditable and aligned to business risk across human and non-human identities.
• Non-Human Identity: A non-human identity is any digital identity used by software, infrastructure, or automation rather than a person. It includes service accounts, API keys, tokens, certificates, and AI agents, all of which can authenticate, call systems, and accumulate privilege if they are not governed through lifecycle controls.
• Segregation of Duties: Segregation of duties is the practice of preventing a single identity from holding conflicting permissions that could enable fraud, abuse, or unsafe changes. In NHI programmes, it must be applied to machine workflows as well as human roles, because automation can combine actions faster and at greater scale.
• Access Certification: Access certification is the periodic review of whether an identity still needs its current entitlements. For NHIs, certification is only reliable when reviewers know the identity's owner, purpose, and expiry, otherwise stale machine access can persist long after the original use case has ended.

Deepen your knowledge

Identity governance for NHIs and AI agents is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is expanding governance beyond human access, this is the right place to build that model.

This post draws on content published by SafePaaS: What is Identity Governance? Read the original.