Identity pros to follow as IAM, NHI, and AI risk converge

At a glance

What this is: This is a curated list of 15 identity and cybersecurity professionals, and its key finding is that IAM, NHI, and AI-adjacent identity thinking are converging across the field.

Why it matters: It matters because identity programmes now need a broader view of governance, threat modelling, and lifecycle controls across human, machine, and emerging agentic contexts.

By the numbers:

• Paul Lanzi says privileged access was identified in 82% of security breaches according to the Verizon DBIR.

👉 Read Oasis Security's list of identity experts to follow on LinkedIn

Context

Identity security is no longer a single-discipline conversation. IAM teams are dealing with human access, service accounts, secrets, third-party integrations, and early agentic use cases at the same time, which means the field’s best practitioners increasingly work across boundaries rather than within one narrow specialty. This list reflects that shift by spotlighting people whose work spans governance, standards, operations, and research.

For security leaders, the practical question is not which individual to follow, but which identity problems demand cross-domain thinking. That includes lifecycle governance, privileged access, NHI visibility, and the way new AI-driven workflows can inherit old identity assumptions. The article is typical of the broader industry moment: it is a signal list, but the signal is about convergence, not celebrity.

Key questions

Q: How should security teams build a cross-domain identity programme?

A: Start by aligning human IAM, NHI governance, PAM, and cloud identity around shared control outcomes such as ownership, privilege reduction, and lifecycle review. Cross-domain programmes work better when they use one governance model for entitlement risk and one operating rhythm for exceptions, rather than separate processes for each identity type.

Q: Why do service accounts and other NHIs need lifecycle governance?

A: Because inventory alone does not remove risk. A service account can remain active long after the business purpose changes, and without ownership, review, and offboarding, access outlives accountability. Lifecycle governance ensures the identity is revoked when the service no longer needs it or the entitlement no longer matches the role.

Q: What do security teams get wrong about following identity experts?

A: They often treat it as content consumption instead of programme design input. The useful pattern is not personality tracking, but collecting independent perspectives that can test entitlement design, lifecycle controls, and threat assumptions across human and non-human identities.

Q: How do teams know their identity controls are keeping up?

A: Look for evidence that the programme can explain who owns each identity, when access is reviewed, and how quickly dormant access is removed. If those answers are unclear for service accounts or third-party connections, the control model is lagging behind the environment.

Technical breakdown

Why identity expertise is becoming cross-domain

Identity programmes used to separate human IAM, machine identity, and privilege management into different operating lanes. That model breaks down when the same team must understand federated authentication, service account sprawl, vendor access, and workload identity in one governance picture. The people on this list are relevant because they connect policy, architecture, and operational control across those domains. That matters for visibility, entitlement design, and lifecycle decisions, especially where teams still treat machine access as a side issue rather than a core identity surface.

Practical implication: build review forums that include IAM, PAM, NHI, and cloud engineering stakeholders instead of handling each identity class separately.

NHI governance depends on lifecycle, not just inventory

Non-human identity management is often described as discovery and rotation, but that is only the first layer. Governance also depends on knowing who owns the credential, when it should be revoked, how third-party access is reviewed, and whether the entitlement still matches the service it supports. When those lifecycle questions are missing, the environment may look controlled while still carrying dormant access paths. The article’s NHI-focused figures are relevant because they point to practitioners who see identity as a governance problem, not just a secrets problem.

Practical implication: tie service-account ownership, review cadence, and offboarding to the same control process used for human access certification.

Standards and research matter because identity risk is systemic

The list includes people who contribute to standards, research, and operational practice, which is the right mix for a field that is moving quickly but still lacks mature baselines in many organisations. Identity controls do not stand alone. They connect to zero trust, incident response, secure federation, and, increasingly, AI risk frameworks. For practitioners, the value of following these voices is that they surface where identity assumptions are already being tested by new tooling, new attack paths, and cross-environment delegation.

Practical implication: align your identity roadmap with current standards work so your programme reflects how identity threats are actually evolving.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity governance is becoming a cross-domain discipline, not a product category. The strongest signal in this list is that practitioners now need to understand human IAM, privileged access, NHI governance, and standards work together. That convergence changes how programmes are staffed, reviewed, and measured. The implication is that identity teams should stop organising expertise by tool class and start organising it by control outcome.

NHI visibility is only meaningful when it is tied to ownership and offboarding. A list of recognised NHI voices is useful because it reflects a broader truth: machine identities fail most often when no one can say who owns them or when they should disappear. Inventory without lifecycle governance creates a false sense of control. Practitioners should treat NHI oversight as a governance discipline, not a discovery exercise.

Privilege remains the common denominator across human and non-human identity risk. The Verizon DBIR statistic cited in the article reinforces a long-standing pattern. Whether the identity is a user, service account, or integration token, excessive privilege broadens the blast radius once an attacker gets in. The conclusion for practitioners is simple: identity programmes that do not reduce privilege at the entitlement layer are underpowered.

Standards voices matter because identity risk is now architectural, not local. Several of the people highlighted work at the intersection of standards, research, and implementation, which is where durable IAM practice tends to emerge. That matters because identity failures often repeat across environments when teams rely on local workarounds instead of shared models. Practitioners should use these perspectives to validate whether their controls will survive scale.

Named concept: identity signal density. This article is less about personalities than about how practitioners find trustworthy signals in a crowded identity market. Identity signal density is the concentration of credible, cross-domain voices a team follows to avoid over-relying on vendor narratives or isolated best practices. The implication is that mature programmes curate outside expertise as deliberately as they curate entitlements.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs: Lifecycle Processes for Managing NHIs.
• If you are turning identity insight into action, Top 10 NHI Issues is the next resource for mapping common control failures to remediation priorities.

What this signals

The programme-level lesson is that identity teams need a wider external signal set, not just more tooling. A curated advisory layer helps security leaders spot where entitlement, lifecycle, and privilege assumptions are breaking before those failures show up as incidents or audit findings.

With 91.6% of secrets still valid five days after notification, per the Ultimate Guide to NHIs, the real issue is not awareness but operational latency. Teams should treat that kind of persistence as a warning that remediation workflows and ownership models are not keeping pace.

The next step is to connect outside expertise to inside control testing. Use credible practitioners, standards work, and lifecycle data together so your IAM roadmap reflects how identity exposure actually behaves across human accounts, service identities, and delegated access paths.

For practitioners

• Map your identity advisory inputs across domains Create a short list of external voices that cover human IAM, NHI governance, PAM, standards, and cloud identity so your programme is not shaped by a single specialty. Use that map in architecture reviews and quarterly risk discussions.
• Use cross-domain experts to challenge control gaps Ask reviewers to test whether your current controls handle service accounts, third-party access, and delegated identity paths with the same discipline as employee access. The goal is to surface blind spots before they become entitlement drift.
• Align identity reviews with lifecycle ownership For every non-human identity in scope, document an owner, a review cadence, and an offboarding trigger. If any of those three are missing, treat the identity as a governance exception rather than a managed asset.
• Track standards work alongside operational changes Monitor how zero trust, federation, and AI-risk guidance evolves so your internal controls do not drift away from current practice. Standards should inform control design, not sit outside it.

Key takeaways

• The article is best read as a map of where identity expertise is concentrated, not as a list of names to bookmark.
• Its deeper message is that IAM, NHI, PAM, and standards work now overlap enough that siloed identity thinking is a control risk.
• Practitioners should use external experts to stress-test ownership, privilege, and lifecycle assumptions across every identity class they manage.

Key terms

• Non-Human Identity: A non-human identity is any credentialed digital identity used by software, services, or workloads rather than a person. It includes service accounts, API keys, tokens, and certificates, and it must be governed with ownership, lifecycle, and privilege controls just like human access.
• Identity Governance: Identity governance is the discipline of making sure access is justified, reviewed, and removed when it is no longer needed. In practice, it covers ownership, certification, entitlement hygiene, and offboarding across human and non-human identities.
• Privileged Access: Privileged access is any elevated entitlement that can change systems, data, or security settings. When privilege is excessive or poorly scoped, a single compromised identity can create outsized blast radius across environments.

Deepen your knowledge

Identity governance across human and non-human systems is covered in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a programme that must handle lifecycle, privilege, and ownership together, it is worth exploring.

This post draws on content published by Oasis Security: Top 15+1 Identity Pros to Follow on LinkedIn. Read the original.