Identity is now critical infrastructure, not an access control layer

At a glance

What this is: This is an analysis of how identity has outgrown its role as a security control and become the infrastructure layer modern enterprises depend on.

Why it matters: It matters because IAM teams now have to govern human, non-human and agentic identities as operational infrastructure, not as a quarterly access-review exercise.

By the numbers:

• In many organizations, nonhuman identities outnumber human ones 100:1 or more.

👉 Read Gathid's analysis of why identity is becoming critical infrastructure

Context

Identity is the control plane for access, but most programmes still treat it like a list of users and roles. That model breaks once service accounts, API keys, CI/CD bots and AI agents become the entities moving data, changing systems and initiating actions across the enterprise. The primary keyword here is identity infrastructure, because that is the real shift this article describes.

The governance gap is not just visibility. It is a failure to model what identities exist, how trust is inherited, and how much damage a credential, token or agent can cause if it is compromised or over-privileged. That makes the topic relevant across NHI, human IAM and autonomous system governance.

Key questions

Q: How should security teams govern identity when it spans people, bots and AI agents?

A: They should govern identity as a unified trust system, not as separate policy islands. The practical move is to inventory every identity type, assign ownership, trace inheritance paths and validate that access still matches current business purpose. Human, non-human and agentic identities all need the same governance discipline, but the review cadence and runtime controls must reflect how quickly each one can act.

Q: Why do service accounts and API keys create so much hidden risk?

A: Because their permissions are often inherited, embedded or forgotten, which makes them easy to overlook and hard to retire. They can also sit inside privilege chains that open far more access than their original purpose suggests. The result is hidden blast radius, especially when the credential is shared across systems or left active after the job is done.

Q: What breaks when identity reviews are only done quarterly?

A: Quarterly reviews miss the reality that access now changes continuously through automation, delegated trust and fast-moving machine workflows. That delay lets over-privilege, orphaned access and inherited permissions persist long enough to become incidents. Review cycles still have value, but they cannot be the only control when identities can be created, reused and abused between review windows.

Q: How do organisations know whether their identity programme is actually working?

A: They should look for a complete inventory, named ownership, reduced standing privilege and a measurable drop in unreviewed privilege paths. If the team cannot answer what identities exist, what they can do and which systems they can reach, the programme is still operating below the level needed to govern modern infrastructure.

Technical breakdown

Why identity becomes infrastructure when trust is relational

Traditional IAM treats identity as a directory object tied to a person or application. In modern environments, identity is relational: a credential can inherit privileges from roles, pipelines, connected services and delegated trust paths. That means risk is not contained in the credential itself. It lives in the graph of who or what can act, chain privileges and reach sensitive systems. Once identity is the mechanism that links business logic to infrastructure, it behaves more like power or network routing than a front-end access check.

Practical implication: model identities as a trust graph, not a static inventory.

How privilege chaining expands blast radius across NHIs

Privilege chaining happens when one identity's access unlocks another trust relationship, creating a path that was never reviewed as a whole. Service accounts, API keys and CI/CD bots often sit inside these chained paths because their permissions are inherited, embedded or loosely owned. That is why a single compromised token can lead to lateral movement, data exposure or infrastructure control. The failure mode is not one bad role. It is a hidden dependency chain that turns isolated entitlements into enterprise-scale blast radius.

Practical implication: trace end-to-end privilege paths before granting or renewing non-human access.

Why AI agents compress identity risk into milliseconds

AI agents change the tempo of identity risk because they can act immediately when triggered, without waiting for a human approval loop. That makes periodic access review insufficient on its own. A human may take hours to exploit an excessive privilege; an agent can do it in milliseconds and move on before a review cycle ever sees the event. For autonomous behaviour, the control problem is not just least privilege. It is whether governance can keep pace with runtime decision-making.

Practical implication: move from periodic review to continuous validation of agent privileges and actions.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity is now infrastructure because access paths have become business pathways. When service accounts, automation, API keys and AI agents execute core work, identity is no longer a support function sitting beside the stack. It is the stack's control surface. That means identity governance has to be treated with the same operational seriousness as network design, payments or power distribution. Practitioners should stop describing identity as a feature and start managing it as critical infrastructure.

Static identity governance is built on assumptions that no longer hold. The idea that identities are mostly human, access is reviewed periodically, and privilege is intentionally assigned was designed for slower, bounded enterprise systems. That assumption fails when identities are objects, access is inherited through layers, and entitlements appear through automation rather than deliberate approval. The implication is not merely to add more controls. It is to rethink the governance model itself.

Privilege chaining is the named failure mode behind most modern identity incidents. A single credential rarely explains the blast radius. The real issue is the chain of inherited trust that turns one compromised token into broader system control. This is exactly why graph-based identity reasoning matters more than role lists or annual recertification alone. Practitioners should measure identity risk as a path problem, not a point-in-time entitlement problem.

Zero-standing privilege only matters if identities can be governed in motion. The article's core point is that identity changes continuously, while many programmes still operate on fixed review intervals and static role assumptions. That mismatch is where over-privilege persists. The governance discipline now has to focus on temporary authority, ownership, and continuous blast-radius reduction across human and non-human identities alike.

Autonomous systems collapse the assumption that access persists long enough to be reviewed. Access review was designed for conditions where privilege remains stable between attestation cycles. That assumption fails when an AI agent can acquire, use and discard access within a single session, sometimes without a durable human operator behind it. The implication is that review-based governance alone cannot describe, much less control, agentic behaviour.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• For a broader view of lifecycle gaps, review Ultimate Guide to NHIs for governance, visibility and offboarding patterns.

What this signals

With 67% of organisations still relying heavily on static credentials despite the risks they pose to agentic AI deployments, the next phase of programme maturity is less about adding policy and more about reducing trust lifetime. Teams should expect more scrutiny on runtime validation, ownership and conditional access paths.

Identity blast radius: the practical measure of how far one credential or agent can move across systems before a control stops it. The concept will matter more as infrastructure teams, not just security teams, become accountable for identity design.

That shift also means identity governance will increasingly intersect with agentic AI oversight and workload identity standards such as the SPIFFE workload identity specification, especially where machine-to-machine trust needs to be explicit and attestable.

For practitioners

• Build a living identity inventory Replace CSV exports and point-in-time registers with an inventory that tracks human, non-human and agent identities, ownership, entitlements and current trust relationships. Prioritise service accounts, API keys, CI/CD bots and AI agents because they often sit outside standard joiner-mover-leaver workflows.
• Map privilege chains before approval Trace how one credential can inherit access through roles, pipelines, delegated permissions and connected systems. Use that path analysis to identify where a single account could reach production data, change infrastructure or pivot into adjacent services.
• Assign ownership to every non-human identity Require a named human owner for each service account, token, bot and agent identity, including a reviewable purpose and an expiry condition. If no owner can be found, treat the identity as unmanaged and high risk.
• Shift from periodic reviews to continuous validation Use runtime controls to detect privilege drift, unexpected inheritance and access that outlives its intended purpose. For AI agents and other fast-moving identities, a quarterly review is not enough because the relevant risk may already have occurred.

Key takeaways

• Identity is no longer just an access layer. It is the operational infrastructure that connects business processes, automation and cloud workloads.
• The largest governance gap is visibility into non-human identities and the privilege chains they inherit across systems.
• Continuous validation, ownership and blast-radius reduction are now the controls that matter most for modern identity programmes.

Key terms

• Trust Graph: A trust graph maps the relationships between identities, systems, entitlements and ownership so teams can see how access is inherited and where blast radius expands. It is more useful than a flat account list because modern identity risk is relational, not isolated.
• Privilege Chaining: Privilege chaining is the process where one entitlement unlocks another access path, often across systems or roles that were never reviewed together. It turns separate permissions into a larger attack path and is a common reason one compromised identity can reach more than intended.
• Zero-Standing Privilege: Zero-standing privilege means access is temporary and granted only when needed, instead of remaining permanently available. In modern identity programmes, it reduces the chance that dormant access, inherited permissions or forgotten machine credentials can be abused outside their intended purpose.
• Living Identity Inventory: A living identity inventory is a continuously updated record of every identity, its owner, its permissions and its current trust relationships. Unlike exported spreadsheets, it is designed to reflect real-time changes across human, non-human and automated identities.

Deepen your knowledge

Identity as critical infrastructure and privilege chaining are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building governance for service accounts, automation and AI-driven access, it is worth exploring.

This post draws on content published by Gathid: Identity is now the enterprise. Read the original.