Identity hygiene and NHI sprawl are outpacing legacy controls

At a glance

What this is: This is an analysis of why identity hygiene has become a core security layer as non-human identities, orphaned accounts, and excessive privileges outgrow legacy access controls.

Why it matters: It matters because IAM teams now have to govern machine and human access together across hybrid estates, or risk losing control of privilege, compliance evidence, and downstream blast radius.

By the numbers:

• In the article, non-human identities outnumber human identities 82 to 1.

👉 Read SPHERE Technology Solutions' analysis of identity hygiene and NHI sprawl

Context

Identity hygiene is the discipline of finding, validating, and controlling identities before they become unmanaged risk. In this context, the primary issue is NHI sprawl across hybrid environments, where service accounts, tokens, and orphaned credentials expand faster than legacy IAM reviews can keep up.

SPHERE Technology Solutions frames the problem as a gap that SSO and MFA do not solve on their own. For security teams, the hard part is not just authenticating users, but continuously proving which non-human identities exist, who owns them, and whether their privileges still match real business need.

Key questions

Q: How should security teams govern non-human identities in hybrid environments?

A: They should treat non-human identities as a governed population with ownership, lifecycle, and entitlement controls, not as an by-product of application delivery. The first step is discovery, followed by assignment of accountable owners, privilege review, and continuous validation that credentials still exist for a business reason. Without that discipline, hidden access persists well beyond its intended use.

Q: Why do SSO and MFA fail to control NHI risk?

A: SSO and MFA mainly protect human authentication flows. They do not discover or govern service accounts, API keys, certificates, or orphaned machine identities, so they miss the access layer that often carries the most persistent privilege. As a result, organisations can have strong login security and still retain unmanaged non-human access paths.

Q: When should organisations move from point-in-time reviews to continuous identity monitoring?

A: They should move when identity state changes faster than their review cycle can meaningfully observe. If machine accounts, privileges, or ownership records can drift between quarterly reviews, the programme is already blind between checkpoints. Continuous monitoring is the right model when evidence, not just policy, has to prove control health in near real time.

Q: What does upstream hygiene mean for PAM programmes?

A: Upstream hygiene means cleaning identity records, ownership data, and entitlement mappings before privileged access controls try to enforce them. If source data is stale or polluted, PAM simply manages inherited risk more efficiently. Teams should use it to reduce privilege sprawl at the identity layer first, then harden privileged workflows on top.

Technical breakdown

Why SSO and MFA do not solve NHI sprawl

SSO and MFA strengthen human authentication, but they do not discover service accounts, API keys, certificates, or orphaned accounts. Those identities often sit outside user-centric processes, which means they can persist long after their original purpose has ended. In hybrid estates, that creates a parallel access layer that traditional login controls never fully see. Once those credentials accumulate, access reviews become incomplete by design because the inventory itself is stale. The result is a governance gap, not just an authentication gap.

Practical implication: teams need discovery and ownership controls for non-human identities, not only stronger human login controls.

Upstream hygiene in Active Directory and PAM

Upstream hygiene means fixing identity data and entitlement quality before access decisions cascade into broader risk. In Active Directory modernisation projects, stale group membership, dormant accounts, and excess privilege can silently carry forward into new platforms and PAM workflows. If the source identity graph is polluted, privileged access tools simply manage bad inputs more efficiently. Upstream hygiene therefore sits ahead of enforcement, because the quality of the identity record determines whether downstream controls are trustworthy. This is a governance problem as much as an architecture problem.

Practical implication: clean identity sources and privilege mappings before expanding PAM or migration programmes.

Continuous monitoring versus point-in-time compliance

Point-in-time assessments answer what was true on the day of review, while continuous monitoring shows whether identity state is drifting in real time. That distinction matters when non-human identities and privileges change faster than quarterly recertification cycles. Evidence-driven compliance is stronger because it ties each identity and entitlement to current proof of ownership, rotation, and use. For boards and auditors, this shifts the question from whether controls exist to whether they are producing reliable evidence at the pace the business now operates.

Practical implication: move from periodic attestations to continuous evidence collection for ownership, rotation, and privileged access.

Threat narrative

Attacker objective: The attacker wants durable access through an identity the organisation no longer actively governs.

1. Entry begins with unmanaged identities, orphaned accounts, or long-lived secrets that remain valid after their original owner or purpose has changed.
2. Escalation follows when excessive privileges and stale ownership allow those identities to be reused across hybrid systems and administrative workflows.
3. Impact occurs when the unused or over-privileged identity becomes a hidden path to data access, privileged actions, or compliance failure.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity hygiene has become the missing control plane for hybrid IAM. SSO and MFA are necessary, but they do not solve discovery, ownership, or entitlement drift for service accounts and other machine identities. The real problem is that enterprises still treat identity as a login event instead of a continuously changing asset inventory. That leaves boards with a false sense of coverage. Practitioners should treat hygiene as a governing layer, not an afterthought.

NHI sprawl is the clearest sign that identity programmes are undercounting risk. The article's 82 to 1 ratio signals that most enterprises are governing a machine identity population far larger than their human estate. That changes how privilege should be measured, because the attack surface is no longer dominated by employees alone. The implication is that IAM roadmaps built around human access volumes are already incomplete.

Upstream hygiene is where PAM value is either protected or diluted. If identities, ownership records, and privileges are dirty before they reach privileged controls, PAM becomes a containment layer for bad data rather than a risk reducer. This is especially visible in AD modernisation and hybrid consolidation programmes, where inherited access often survives the migration. Practitioners should re-evaluate whether their PAM investment is enforcing policy or merely preserving legacy entitlement sprawl.

Continuous evidence changes compliance from episodic proof to operational assurance. Point-in-time reviews were designed for slower identity environments, not estates where machine accounts, keys, and certificates move constantly. Continuous monitoring does not replace governance, it makes governance testable every day. The practitioner conclusion is clear: if evidence cannot keep pace with identity churn, the control model is already behind reality.

Identity hygiene is where human IAM, NHI governance, and agentic AI oversight converge. The article points toward a broader market shift: the same ownership, lifecycle, and privilege problems now span people, workloads, and autonomous systems. That makes identity governance less about product categories and more about whether an organisation can maintain trustworthy identity state across all actors. Practitioners should expect convergence, not siloed fixes.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• Use NHI Lifecycle Management Guide to turn identity hygiene into a lifecycle discipline rather than a one-time cleanup exercise.

What this signals

NHI hygiene will increasingly define whether IAM programmes can scale. If organisations cannot keep ownership, rotation, and privilege data current for machine identities, their governance model will fragment under hybrid growth. The practical signal is that identity teams need one control view across people and non-people, not separate maturity tracks.

Identity sprawl is becoming a board-level assurance problem, not just an operations issue. With non-human identities multiplying faster than manual review cycles can handle, evidence has to become continuous and machine-readable. That pushes IAM, PAM, and compliance teams toward shared telemetry, shared ownership, and shared reporting.

Upstream identity quality is now a prerequisite for downstream control effectiveness. The cleaner the source identity graph, the more credible PAM, recertification, and audit evidence become. Teams that delay hygiene work will keep paying for it in exception handling and control drift.

For practitioners

• Inventory non-human identities continuously Build a living inventory of service accounts, API keys, certificates, and other machine identities across hybrid platforms, and assign an owner to every record.
• Reconcile privileged access before PAM expansion Clean stale accounts, orphaned entitlements, and inherited AD groups before extending privileged access workflows into new environments.
• Shift compliance from snapshots to evidence streams Collect current proof of ownership, rotation status, and usage for each identity so auditors can verify control health continuously rather than quarterly.
• Separate human login assurance from machine identity governance Keep MFA and SSO focused on human users, while using distinct controls for discovery, lifecycle, and privilege management of non-human identities.

Key takeaways

• Legacy login controls do not solve non-human identity sprawl, because the risk sits in discovery, ownership, and privilege drift.
• The article's 82 to 1 figure shows that machine identities are already large enough to dominate the governance problem in many enterprises.
• Practitioners should treat identity hygiene as a continuous lifecycle discipline that protects PAM, compliance evidence, and hybrid access control.

Key terms

• Identity Hygiene: Identity hygiene is the ongoing discipline of discovering, validating, and cleaning identity state before it turns into security debt. In practice, it covers ownership, entitlement accuracy, rotation, offboarding, and evidence that identities still have a legitimate business purpose.
• Non-Human Identity: A non-human identity is a digital identity used by software, services, workloads, or autonomous systems rather than a person. It includes service accounts, API keys, tokens, and certificates, and it often carries privileges that persist longer and move faster than human access.
• Upstream Hygiene: Upstream hygiene is the practice of fixing identity data and privilege quality at the source before those records feed PAM, compliance, or access workflows. It matters because downstream controls cannot reliably govern identities when the underlying inventory is stale, incomplete, or inconsistent.
• Continuous Evidence: Continuous evidence is operational proof that identity controls are working now, not just at the time of an audit. It replaces one-off snapshots with current signals about ownership, rotation, access, and usage, which is essential when identities change too quickly for periodic review alone.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by SPHERE Technology Solutions: the VMblog Q&A on identity hygiene and non-human identity sprawl. Read the original.