Identiverse 2025 signals a shift to real-time NHI governance

At a glance

What this is: This conference recap says Identiverse 2025 reinforced a move toward real-time identity governance, with NHI risk and AI-driven abuse now treated as mainstream security concerns.

Why it matters: For IAM and NHI practitioners, the takeaway is that legacy review cycles and human-centric controls are too slow for dynamic machine identity and agentic access patterns.

By the numbers:

• Identiverse 2025 brought together over 3,000 identity leaders in Las Vegas.
• NHIs outnumber human identities by 25x to 50x in modern enterprises.
• Only 5.7% of organisations have full visibility into their service accounts.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.

👉 Read Linx Security's Identiverse 2025 analysis on identity, AI, and NHIs

Context

Identiverse 2025 is useful because it shows where identity governance is heading, not just what vendors are marketing. The core problem is that access, entitlements, and machine identities now move faster than quarterly review processes can handle, which leaves IAM teams reacting after risk has already accumulated. For NHI governance, that gap is especially visible because service accounts, tokens, and API keys often sit outside the control model used for human users.

The conference signals also point to a broader shift in practitioner expectations. Real-time decisions, compliance pressure, and AI-assisted attack paths are converging into one operating question: can identity controls adapt at the speed of execution? That is the right question for teams managing both human access and NHIs, especially when the same environment now contains more machine identities than people.

For background on the identity and lifecycle issues behind that gap, see the Ultimate Guide to NHIs. The enterprise starting position described in this recap is typical, not exceptional: most organizations are still trying to bring machine identities into governance after sprawl has already happened.

Key questions

Q: How should organisations govern non-human identities in dynamic environments?

A: Treat NHIs as runtime identities rather than static records. Assign ownership, scope access to a defined purpose, set expiry or rotation thresholds, and trigger review when behaviour changes. The key is to make revocation and recertification event-driven so machine access does not outlive the task it was created for.

Q: Why do AI-assisted attacks change IAM priorities?

A: AI lowers the cost of impersonation, phishing, and access chaining, so identity teams must focus less on one-time approvals and more on continuous assurance. Clean identity data, strong lifecycle controls, and fast revocation become more important because attackers can move faster than manual review cycles.

Q: What is the difference between quarterly certification and event-driven access control?

A: Quarterly certification checks access on a schedule, while event-driven access control reacts when risk changes. The first is retrospective and often too slow for cloud and NHI environments. The second is operational and better suited to identities whose privileges, context, or business purpose can change quickly.

Q: Should security teams treat NHI sprawl as a compliance issue or an operational issue?

A: They should treat it as both. Compliance frameworks increasingly demand evidence of least privilege, ownership, and lifecycle discipline, but the operational risk is that unmanaged NHIs create hidden access paths into production systems. Programs that separate the two usually fail to close either one.

Technical breakdown

Why event-driven access is replacing quarterly governance

Event-driven access means entitlements change when a relevant signal changes, such as inactivity, role change, risk score movement, or privilege escalation. That is different from periodic certification, which assumes access can be reviewed on a schedule without missing meaningful change. In cloud and SaaS environments, that assumption breaks quickly because identity context evolves continuously. For NHIs, the same logic applies to service accounts and tokens that may need shorter lifetimes, tighter scoping, and stronger revocation triggers than human access. The practical result is that governance must move closer to runtime and away from static review artifacts.

Practical implication: Map NHI and human access decisions to signals that can trigger immediate revocation, recertification, or step-up approval.

How AI changes identity attack and defence patterns

AI affects identity security in two directions. On offence, it lowers the cost of phishing, impersonation, and social engineering while also helping attackers chain weak signals into more convincing access attempts. On defence, it can help prioritise reviews and highlight unusual behaviour, but only if the underlying identity data is clean. That matters for NHI governance because machine identities already create large volumes of low-context access events. If the identity inventory is incomplete, AI-assisted defence will amplify blind spots instead of reducing them. The governance lesson is to treat AI as a force multiplier, not a control by itself.

Practical implication: Improve identity data quality before relying on AI for access review automation or risk scoring.

NHI visibility gaps make compliance findings harder to close

Compliance regimes such as DORA, NIS2, and CRA increase pressure on identity teams to prove least privilege, lifecycle discipline, and auditability. That is difficult when NHIs are spread across code, cloud services, and SaaS integrations with no consistent owner or review cadence. The issue is not just secrecy, but traceability: teams need to know who created the identity, why it exists, where it is used, and how it is retired. Without that lineage, certification becomes a reporting exercise instead of a control. In practice, compliance demand is exposing a governance defect that many programs had already normalized.

Practical implication: Build ownership, purpose, and offboarding records into NHI lifecycle workflows before the next audit cycle.

Threat narrative

Attacker objective: The objective is to turn identity trust into operational access that can be reused across cloud, SaaS, and machine-driven workflows.

1. Entry occurs through AI-assisted phishing or impersonation that convinces a user or operator to approve access or expose credentials.
2. Escalation follows when the attacker uses the obtained identity to reach systems with broader entitlements than intended.
3. Impact occurs when the attacker pivots through identity-linked access to manipulate data, bypass controls, or establish persistence.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Dropbox Sign breach — compromised Dropbox Sign service account exposed API keys and OAuth tokens.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

NHI governance is moving from inventory management to runtime control. The Identiverse themes point to a market that is no longer satisfied with knowing what identities exist. Practitioners now need to decide when access should change, who approves that change, and which signals should trigger it. That is a different operating model from periodic review, and it becomes unavoidable once NHIs and AI-driven workflows are part of the same estate.

Real-time access decisions create the identity blast-radius problem the industry has been underestimating. Dynamic governance reduces standing exposure, but it also makes it easier to overlook how many systems depend on a single token, service account, or delegated grant. The practical challenge is not access speed alone, but whether a revoked identity actually stops the business process attached to it. Teams need to design for blast-radius reduction, not just faster approvals.

Identity security posture management is becoming the bridge between policy and enforcement. The market is converging on continuous assessment because static provisioning tools do not answer operational questions about usage, drift, and overprivilege. That does not make posture tooling a replacement for IAM or PAM; it makes it the control layer that exposes where those programs are blind. Practitioners should expect identity posture evidence to become a board and audit requirement, not just a security dashboard.

AI is not a separate identity issue. It is a multiplier on existing identity failure modes. The same weaknesses that created NHI sprawl, weak ownership, and overprivilege now become more dangerous when attackers can automate reconnaissance and social engineering at scale. The category should therefore be read as a governance stress test for existing IAM models. If a program cannot handle non-human trust cleanly, it will struggle even more once agentic systems join the environment.

Event-driven compliance will become the new baseline for high-trust environments. DORA, NIS2, and CRA are pushing identity teams toward evidence that can be produced continuously, not assembled after the fact. That shifts the burden from annual assurance to operational traceability. Practitioners should prepare for audit questions that focus less on policy existence and more on whether access decisions can be demonstrated in context, on demand.

From our research:

• NHIs outnumber human identities by 25x to 50x in modern enterprises, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which explains why machine identity governance keeps surfacing as a control gap.
• For a broader lifecycle view, the Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs shows how provisioning, rotation, and offboarding fit together.

What this signals

Identity programmes will need to absorb NHI governance as a standing operating model, not a side project. The combination of AI-assisted abuse, compliance pressure, and runtime access decisions means teams cannot rely on review cycles designed for stable human access. With 90% of IT leaders saying properly managing NHIs is essential for a successful zero-trust implementation, the governance path is already clear: controls must become continuous, contextual, and measurable.

Identity blast radius will become the more useful metric than identity count. Once machine identities are treated as execution paths into production, the question is not only how many exist, but how much damage any one can do if compromised. That shifts prioritisation toward scoping, revocation speed, and dependency mapping across cloud and SaaS estates.

Practitioners should expect audit conversations to move from policy existence to evidence of enforcement. That means lifecycle records, ownership, and revocation proof need to be accessible in the same operational layer where access is granted, not reconstructed after the fact.

For practitioners

• Move NHI governance to event-driven triggers Tie access changes to inactivity, privilege change, role change, and anomaly signals so reviews happen when risk changes, not on a fixed calendar.
• Inventory machine identities separately from human accounts Create a dedicated register for service accounts, API keys, tokens, and certificates with ownership, purpose, and expiry fields.
• Shorten the review loop for high-risk credentials Prioritise time-bound approvals and tighter revocation paths for identities that can reach production systems or third-party services.
• Use compliance evidence as a design input Build audit-ready lineage into lifecycle workflows so provisioning, access changes, and offboarding produce evidence automatically.
• Test whether revocation actually breaks business flows Validate that removing a token or service account stops the intended workload without leaving fallback access in code or orchestration layers.

Key takeaways

• Identiverse 2025 reflected a clear shift from static identity review toward real-time governance, with NHI risk moving into the centre of the IAM agenda.
• The scale problem is already structural: machine identities vastly outnumber human accounts, while visibility into service accounts remains limited.
• Practitioners should treat event-driven access control, lifecycle evidence, and blast-radius reduction as core design requirements, not future enhancements.

Key terms

• Non-Human Identity: A non-human identity is any digital identity used by software rather than a person, including service accounts, API keys, tokens, certificates, bots, workloads, and AI agents. These identities often carry privileged access and need ownership, rotation, and offboarding controls just like human accounts.
• Event-Driven Access Control: Event-driven access control changes permissions when a relevant condition changes, such as risk, inactivity, or role movement. It replaces slow periodic review with decisions tied to live identity context, which is especially important when cloud and NHI access can change many times in a day.
• Identity Security Posture Management: Identity security posture management is the continuous assessment of identity configuration, privilege, and exposure across an environment. It focuses on drift, overprivilege, and control gaps so teams can see where IAM, PAM, and NHI governance are failing before those gaps become incidents.

Deepen your knowledge

NHI lifecycle governance, rotation, and offboarding are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a control model for dynamic identity environments, it is worth exploring.

This post draws on content published by Linx Security: What Identiverse 2025 was focusing on this year and where Linx fits in. Read the original.