Identity hygiene, NHI sprawl, and the limits of SSO and MFA

At a glance

What this is: This is an analyst Q&A on why identity hygiene has become a core control layer as NHI sprawl, orphaned accounts, and privilege drift outgrow SSO and MFA.

Why it matters: It matters because IAM teams now have to govern service accounts, API keys, tokens, and certificates with the same rigor they apply to human access, or board-level risk keeps rising.

By the numbers:

• Non-human identities now outnumber human identities 82 to 1.

👉 Read SPHERE Technology Solutions' Q&A on identity hygiene and NHI sprawl

Context

Traditional identity programmes still assume the main problem is human authentication, but hybrid environments now create a broader governance gap: unmanaged identities, orphaned accounts, and excessive privileges that sit outside SSO and MFA. In practice, the control plane has shifted upstream, where identity hygiene determines whether access is knowable, reviewable, and revocable.

SPHERE Technology Solutions frames this as "Identity Hygiene", a way to treat identity clean-up, privilege control, and continuous monitoring as foundational rather than optional. That lens is relevant across human IAM, NHI governance, PAM, and lifecycle management because the same failure pattern keeps appearing: access exists before anyone can confidently explain why it exists.

The article also points to Active Directory modernisation, PAM investment, compliance evidence, and agentic AI automation as the pressure points where old operating models break first. The starting position is typical for large enterprises, not exceptional, which is why the issue now has board-level relevance.

Key questions

Q: How should teams govern non-human identities in hybrid environments?

A: Teams should treat non-human identities as first-class assets with ownership, purpose, review, and offboarding rules. The practical test is whether each service account, API key, or certificate can be traced to a business function and removed when that function ends. Without that discipline, hybrid environments turn into hidden privilege archives.

Q: Why do unmanaged identities increase IAM risk even when SSO and MFA are deployed?

A: Because SSO and MFA only cover interactive human authentication, not the full set of service accounts, secrets, and delegated machine credentials that operate outside login flows. If those identities are unmanaged, they can persist, multiply, and retain privilege without the same visibility that human access gets.

Q: What do security teams get wrong about identity hygiene?

A: They often treat identity hygiene as clean-up after the real work is done, when it is actually the condition that makes the rest of the programme reliable. If ownership is unclear and stale access is still active, PAM, compliance reporting, and access reviews all inherit bad data and weaker decisions.

Q: How should organisations respond when automation expands the number of identities they must govern?

A: They should widen governance to include machine identities and any AI-driven access paths before the volume becomes unmanageable. That means enforcing ownership, limiting standing access, and requiring continuous evidence for creation, use, and retirement so automation does not outpace oversight.

Technical breakdown

Why SSO and MFA do not solve NHI sprawl

SSO and MFA are strong human authentication controls, but they do not govern the full lifecycle of non-human identities. Service accounts, API keys, tokens, and certificates often live outside interactive login flows, so they can remain active without the visibility and challenge steps that human access goes through. That creates a different control problem: not proving a person is present, but knowing which machine identities exist, where they are used, and whether they still need access. When those identities are unmanaged, the risk is privilege accumulation and silent persistence.

Practical implication: treat SSO and MFA as human controls and pair them with inventory, ownership, and lifecycle controls for NHIs.

What upstream identity hygiene changes in hybrid environments

Upstream hygiene means controlling identity data and privilege state before access becomes operationally messy. In hybrid environments, that includes discovering orphaned accounts, correlating ownership, removing stale entitlements, and reducing privilege overlap across directories, cloud services, and on-prem systems. The goal is not just cleaner records. It is to make identity state reliable enough that PAM, compliance, and remediation actions work from current evidence rather than stale assumptions. Without that upstream layer, downstream controls inherit ambiguity.

Practical implication: build identity inventory and ownership reconciliation into the front of IAM and PAM workflows, not the end.

Identity hygiene and agentic AI automation

Agentic AI raises the stakes because autonomous systems can create or consume access faster than manual review cycles can observe. Even when an agent is constrained, it still multiplies the number of identities, secrets, and delegated privileges that must be tracked. That means the hygiene problem expands from static account clean-up to runtime governance of machine and agent identities. If organisations cannot already keep service accounts and tokens current, they will struggle to govern AI-driven access paths with any confidence.

Practical implication: extend identity governance scope to AI-driven access paths before automation increases the volume of unmanaged credentials.

NHI Mgmt Group analysis

Identity hygiene is now a control layer, not a housekeeping exercise. The article’s central point is that unmanaged identities and orphaned accounts create governance failure before any breach occurs. SSO and MFA do not address the identity objects that live outside interactive login, so enterprises need a discipline that treats identity state as a continuously managed security asset. The practitioner conclusion is simple: if identity cannot be accounted for, it cannot be governed.

The 82 to 1 NHI ratio is not a volume statistic, it is an accountability warning. When non-human identities outnumber humans by that margin, ownership, review, and offboarding cease to be edge cases. That is why the control problem shifts from authenticating users to proving that every secret, token, and service account still has a valid business purpose. Practitioners should read this as a sign that lifecycle governance has become the primary NHI risk surface.

Upstream hygiene is the named concept this market needs. It captures the idea that identity clean-up must happen before entitlements, PAM, and compliance checks can be trusted. This is directly relevant to NHI governance because stale directory state and delegated privileges distort every downstream report. The implication is that evidence-driven monitoring only works when identity records are already coherent.

Agentic AI will compound the same failure mode if organisations do not reset their assumptions. Identity programmes built around periodic review assume access changes slowly enough to inspect after the fact. That assumption weakens when autonomous systems can create, use, and discard privilege at machine speed. The practitioner conclusion is that teams should rethink governance cadence and evidence models before automation turns identity sprawl into identity churn.

PAM investment is only as effective as the identity data feeding it. The article’s emphasis on maximising PAM spend is really a statement about upstream dependency. Privileged access controls cannot compensate for unclear ownership, stale accounts, or hidden identity sprawl. Security teams should treat cleanup and visibility as prerequisites for any meaningful privileged access programme.

From our research:

• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which helps explain why orphaned identities and privilege drift remain so difficult to contain.
• Use NHI Lifecycle Management Guide to connect visibility with provisioning, rotation, and offboarding decisions.

What this signals

Upstream hygiene is becoming the programme-level control that determines whether downstream IAM work is trustworthy. When identity records are incomplete, every access review, PAM approval, and compliance report inherits the same blind spot. Teams should expect more pressure to prove continuous evidence rather than rely on periodic certification alone.

The gap will widen further as machine identities and AI-driven access paths increase the number of objects that must be owned and reviewed. Organisations that do not have a reliable inventory model for service accounts and secrets will find it harder to absorb automation without creating hidden privilege.

The practical signal is that identity governance is moving from identity verification to identity state management. That shift makes lifecycle discipline and visibility programmes a priority for any team trying to keep hybrid access understandable at enterprise scale.

For practitioners

• Inventory all non-human identities and assign owners Build a complete list of service accounts, API keys, tokens, certificates, and other machine identities across hybrid environments. Every identity should have a named owner, a system purpose, and a review cycle so orphaned access can be removed before it accumulates.
• Remove stale accounts before expanding PAM scope Use identity hygiene work to identify inactive, duplicated, or unassigned accounts before adding more privileged access tooling. PAM investments work better when the underlying identity records are current and the access paths are already rationalised.
• Extend governance to AI-driven access paths Map where automation or agentic AI can create, request, or consume credentials, then require those paths to follow the same ownership and review rules as other non-human identities. If the access path cannot be explained quickly, it should not be left standing.
• Shift compliance from point-in-time proof to continuous evidence Replace spreadsheet-based attestations with ongoing monitoring that can show who or what has access right now, why it exists, and when it was last validated. This reduces the gap between a control check and the identity state the check is supposed to describe.

Key takeaways

• Identity hygiene is emerging as the missing control layer between authentication and governance in hybrid environments.
• NHI sprawl, orphaned accounts, and excessive privileges create risk that SSO and MFA cannot see on their own.
• Practitioners need ownership, visibility, and lifecycle controls for machine identities before PAM and compliance evidence can be trusted.

Key terms

• Identity Hygiene: Identity hygiene is the practice of keeping identity records, privileges, and lifecycle state accurate enough to trust for security decisions. It goes beyond clean-up and includes discovery, ownership, rotation, offboarding, and continuous validation across human and non-human identities.
• Upstream Hygiene: Upstream hygiene is the work done before access data reaches downstream controls such as PAM, compliance reporting, or access reviews. It ensures the identity inventory, ownership metadata, and entitlement state are coherent enough that later governance decisions are based on current evidence.
• Orphaned Account: An orphaned account is an identity that still exists and may still hold access but no longer has a clear owner or business justification. In practice, orphaned accounts are a common source of hidden privilege because they persist after teams, vendors, or systems change.
• Non-Human Identity: A non-human identity is any credentialed entity used by software, infrastructure, or automation rather than a person. That includes service accounts, API keys, tokens, certificates, workload identities, and AI agents when they are granted independent access to systems or data.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.

This post draws on content published by SPHERE Technology Solutions: an exclusive VMblog Q&A on identity hygiene, NHI growth, and upstream governance. Read the original.