Identity visibility is the missing layer in NHI security programmes

At a glance

What this is: This is a vendor analysis of identity visibility, showing that security teams often lack a complete inventory of human, NHI, and AI identities across hybrid environments.

Why it matters: It matters because IAM, NHI, and autonomous identity programmes all depend on knowing what identities exist, what they can access, and who owns them before controls can work.

By the numbers:

• For every human employee, organizations now manage an average of 50 non-human identities.
• Only 55% of AWS IAM permissions actually utilized.

👉 Read Permiso Security's analysis of comprehensive identity visibility across human and non-human identities

Context

Identity visibility is the prerequisite for identity governance. If teams cannot see human accounts, service accounts, API keys, OAuth tokens, machine identities, and AI agents in one place, then least privilege, access review, and incident response all start from partial information. That is the core problem the article raises for NHI and broader IAM programmes.

The article also shows why this is no longer a narrow cloud inventory issue. Identities now span AWS, Azure, GCP, SaaS, identity providers, CI/CD pipelines, and AI platforms, which means the real control problem is not just discovery but understanding relationship paths, ownership, and standing access across the entire identity graph. For teams building out coverage, the NHI Lifecycle Management Guide is the natural companion resource.

When identity sprawl outpaces inventory, orphaned accounts, over-privileged access, and unknown third-party connections become governance failures rather than isolated hygiene issues. That is typical of modern enterprises, not an edge case.

Key questions

Q: How should security teams build an authoritative inventory of non-human identities?

A: Start by consolidating discovery across cloud platforms, SaaS, identity providers, CI/CD systems, and AI platforms into one record. Include ownership, permissions, last-use data, and environment context so the inventory can support access review, incident response, and lifecycle governance rather than serving as a static asset list.

Q: Why do non-human identities create more governance risk than most human accounts?

A: NHIs often outnumber human users, span multiple systems, and persist without the same operational visibility as employee access. That combination makes dormant credentials, over-privilege, and third-party reach harder to see and harder to retire, which increases the chance that access survives after business need has ended.

Q: What breaks when identity visibility is incomplete in a hybrid environment?

A: Least privilege becomes guesswork, access reviews certify stale data, and incident response begins with manual discovery instead of containment. In hybrid estates, incomplete visibility also hides trust relationships and inherited access, so the real attack surface is larger than the inventory suggests.

Q: Who should own orphaned service accounts and AI agent identities?

A: Ownership should sit with a named business or technical custodian who can approve use, monitor activity, and trigger offboarding when the identity is no longer needed. Without accountable ownership, the identity remains live by default and becomes a governance gap rather than an operational asset.

Technical breakdown

Why identity graph visibility matters for NHI governance

A flat inventory is not enough because identities rarely behave as isolated records. The article’s core point is that access paths matter as much as identity counts: a service account can inherit reach through federated trust, a vendor integration can expose internal data, and an AI agent can carry delegated permissions across systems. A usable identity graph links subject, permissions, resources, and trust relationships so security teams can answer who can reach what, directly and indirectly. That is the difference between counting identities and governing them.

Practical implication: model identities as relationships, not rows, so you can trace effective access before you certify or revoke anything.

Real-time inventory versus static scans in hybrid identity estates

Static scans age quickly in environments where identities are created by code, pipelines, and integrations. Real-time tracking matters because the inventory must change as fast as the environment, otherwise security teams keep making decisions from stale data. In NHI programmes this is especially important for service accounts, tokens, certificates, and AI-driven workloads, because their lifecycle can be shorter and less visible than human access. Continuous discovery reduces the gap between what exists and what the programme thinks exists.

Practical implication: replace snapshot-only discovery with continuous inventory updates so access reviews and incident triage use current identity state.

Identity visibility as the foundation for least privilege and response

Least privilege depends on knowing the current permission set, not the intended one. If teams cannot see which identities are active, orphaned, or over-provisioned, then policy enforcement becomes guesswork and incident response starts with manual discovery. The article correctly ties visibility to operational outcomes: posture management, threat detection, and response all depend on a trustworthy inventory. For NHI and human IAM alike, visibility is the base layer that makes later controls credible rather than aspirational.

Practical implication: treat identity inventory as a control dependency for least privilege, recertification, and incident response planning.

Threat narrative

Attacker objective: The objective is to exploit unseen identity paths to access internal systems or data while security teams are still trying to discover what exists.

1. Entry occurs when orphaned service accounts, forgotten API keys, or third-party integrations remain active after the original business need has ended.
2. Escalation happens when those identities retain permissions that were granted earlier and were never tightened, rotated, or offboarded.
3. Impact follows when attackers or unauthorized processes use hidden access paths to reach data, systems, or cloud control planes without triggering expected governance checks.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Dropbox Sign breach — compromised Dropbox Sign service account exposed API keys and OAuth tokens.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity visibility is the control plane for every other identity discipline. Least privilege, lifecycle governance, access review, and incident response all depend on a complete and current inventory of who and what has access. When identities span human users, service accounts, API keys, and AI systems, the programme can no longer rely on manual reconciliation or periodic scans. Practitioners should treat visibility as the first governance layer, not a reporting feature.

Identity graph context matters more than raw identity counts. A count of accounts does not show effective blast radius, because trust relationships and inherited permissions create access far beyond the originating identity. The article’s Universal Identity Graph framing is useful because it reflects how modern attack surfaces actually behave across cloud, SaaS, and federated identity boundaries. Teams should measure access reach, not just inventory volume.

Orphaned identity persistence is a lifecycle failure, not a discovery issue. The article describes dormant identities, over-privilege, and third-party access as things visibility can surface, but the deeper problem is that governance processes failed to remove or narrow access when business conditions changed. That failure mode is central to NHI governance, because abandoned credentials remain operational long after ownership disappears. Practitioners should make lifecycle ownership part of every identity control.

AI agents belong in the same discovery model as service accounts and tokens. The article explicitly includes AI agents with delegated permissions, which means the inventory problem is already broader than classic machine identity. Once AI systems can access data or tools independently, visibility must include where they are deployed, what they can reach, and who is accountable for them. That is the direction identity governance is moving, and teams should plan for it now.

Inventory-first programmes will outpace control-heavy programmes. Detection and response improve only after teams know the full identity estate, because every downstream capability assumes the inventory is true. That makes visibility a maturity multiplier across OWASP-NHI, NIST CSF, and Zero Trust-aligned controls. Security leaders should prioritise completeness before layering more monitoring rules.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• Only 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months.
• For lifecycle and ownership control, see NHI Lifecycle Management Guide for the governance step that visibility alone cannot solve.

What this signals

Identity visibility is becoming the gating factor for every serious NHI programme. When inventories are incomplete, security teams are forced to choose between blind certification and delayed response, neither of which scales in hybrid estates. The practical shift is toward continuous discovery, ownership mapping, and relationship-aware governance before more monitoring is added.

Orphaned access is the visible symptom, but lifecycle failure is the deeper issue. The more identities are created by automation, integrations, and AI systems, the more likely they are to outlive their original purpose unless ownership and offboarding are explicitly built into the programme. Teams that pair discovery with lifecycle control will reduce hidden reach faster than teams that only add detection.

With 1.5 out of 10 organisations highly confident in securing NHIs, the market signal is clear: identity programmes still struggle with basic visibility, and that gap will shape buying decisions as much as threat pressure does.

For practitioners

• Map the full identity estate before tuning controls Inventory human users, service accounts, API keys, certificates, OAuth tokens, and AI agents in one authoritative record. Include environment, ownership, permissions, and last-use data so reviews and response teams work from the same source of truth.
• Trace effective access paths, not just assigned permissions Document direct and indirect paths from each identity to production systems, data stores, and federated trust zones. Use relationship mapping to find hidden reach created by SaaS integrations, cloud inheritance, and cross-environment trust.
• Prioritise orphaned and over-privileged identities first Flag identities with no clear owner, no recent use, or permissions that exceed observed activity. These are the fastest wins because they reduce exposed attack surface without waiting for a full programme rebuild.
• Make identity inventory the prerequisite for access review Do not start recertification until inventory data is current enough to support a meaningful review. If the review list is stale, the programme will certify the wrong accounts and miss abandoned access.
• Extend governance to AI agents and federated third parties Treat AI agents and vendor integrations as governed identities with lifecycle ownership, approval paths, and offboarding triggers. That keeps discovery from stopping at the human perimeter and helps prevent unmanaged external reach.

Key takeaways

• Identity visibility is the prerequisite for governing NHIs, AI agents, and hybrid access at scale.
• Hidden trust paths and orphaned credentials turn incomplete inventories into a real attack surface, not just an audit problem.
• Practitioners should build continuous discovery and lifecycle ownership into the identity programme before layering on more detection.

Key terms

• Identity Graph: A structured view of identities and the relationships between them, including permissions, trust links, and resource reach. In practice, it shows effective access rather than just account counts, which is essential for understanding blast radius across cloud, SaaS, and federated environments.
• Orphaned Account: An identity that remains active without a clear owner, business purpose, or current oversight. These accounts often persist after projects end or staff change, and they become risky because they can retain access long after accountability has disappeared.
• Real-Time Inventory: An identity inventory that updates as identities are created, changed, or retired instead of relying on periodic snapshots. This matters in modern environments because automated provisioning and delegated access can make yesterday’s inventory inaccurate almost immediately.
• Third-Party Access: Access granted to external vendors, partners, or integrations that can reach internal systems or data. In identity governance, it is not just a contract issue but a lifecycle problem, because those connections must be reviewed, bounded, and removed when they are no longer needed.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Permiso Security: Comprehensive Identity Visibility and Intelligence with Permiso Discover. Read the original.