TL;DR: Machine identities now outnumber human users in 69% of organisations, while 66% say current tooling cannot manage the scale and 61% still rely on spreadsheets or manual tracking, according to SailPoint's The Critical Gaps in Machine Identity Management report. The governance problem is no longer coverage, but ownership, lifecycle control, and auditability at machine speed.
At a glance
What this is: This is an analysis of machine identity governance and its core finding is that discovery, ownership, and lifecycle controls are still lagging behind machine identity growth.
Why it matters: It matters because IAM, IGA, PAM, and cloud security teams now have to govern non-human identities at a scale and speed that traditional human-centric processes do not handle well.
By the numbers:
- 69% of organisations now have more machine identities than human ones.
- 66% say their current tooling is not adequate to manage the scale of machine identities they now have.
- 61% rely on spreadsheets or manual tracking for machine identity management.
👉 Read SecurEnds's analysis of machine identity governance and control gaps
Context
Machine identity governance is the set of controls that keeps service accounts, API keys, certificates, tokens, and workload identities visible, owned, and reviewable across their lifecycle. The primary machine identity governance gap is that most enterprises still manage these identities with processes designed for human users, even as the number of non-human identities grows faster than the teams responsible for them.
That mismatch shows up in ownership gaps, weak inventory quality, and inconsistent access review discipline. As cloud, DevOps, APIs, and automation expand, machine identity governance has become a board-relevant control problem, not a narrow operations task. For background on the identity class itself, see the Ultimate Guide to NHIs , What are Non-Human Identities.
Key questions
Q: How should security teams govern machine identities across cloud and DevOps environments?
A: Security teams should treat machine identities as governed assets, not deployment by-products. That means maintaining a complete inventory, assigning accountable owners, enforcing least privilege, automating rotation, and reviewing access on a recurring basis. The programme works only when discovery, ownership, entitlement, and monitoring are tied together in one lifecycle view.
Q: Why do machine identities create more governance risk than human accounts in many environments?
A: Machine identities often scale faster than human users, are created automatically, and are frequently left with standing permissions after the original use case changes. That combination makes ownership unclear, review cycles harder, and blast radius larger when credentials are exposed. The risk is not the identity type alone, but the speed and persistence of access.
Q: What breaks when machine identity ownership is unclear?
A: When ownership is unclear, recertification becomes a checkbox exercise, rotation accountability weakens, and dormant credentials stay active. Security teams lose the ability to confirm whether access is still justified, which means the control environment degrades silently. In practice, unclear ownership turns machine identity governance into an audit problem instead of an operational control.
Q: Who should be accountable for machine identity lifecycle governance?
A: Accountability should sit with both the business service owner and the technical platform owner, because machine identities span application need and operational dependency. Human IAM teams, IGA teams, and platform teams each own part of the lifecycle, but none can govern it alone. Clear accountability is what makes review, offboarding, and rotation actually enforceable.
Technical breakdown
Why machine identity governance needs continuous discovery
Machine identities are created in cloud builds, CI/CD jobs, orchestration layers, and application integrations, often without a stable human owner. Discovery therefore cannot rely on periodic spreadsheet updates or annual audits. It has to continuously inventory credentials, certificate objects, workload bindings, and automation accounts across environments. Without that live inventory, governance cannot answer basic questions about what exists, who owns it, or whether the identity is still in use. Practical implication: discovery must be treated as an always-on control, not a project task.
Practical implication: move machine identity discovery into continuous monitoring and inventory reconciliation.
Why ownership and entitlement reviews fail for non-human identities
Machine identities often inherit access from deployment scripts, platform defaults, or temporary operational needs that never get cleaned up. That makes ownership harder than with human accounts because the identity can outlive the team, service, or application that created it. Entitlement review must therefore check whether the access still maps to a live workload dependency, not just whether a name appears on a record. Practical implication: ownership should be validated against the application or service dependency chain, not against documentation alone.
Practical implication: validate ownership against the workload dependency chain before recertifying access.
How credential rotation and monitoring reduce machine identity blast radius
Long-lived secrets, certificates, and tokens create persistence windows that attackers can exploit after exposure. Rotation reduces that exposure window, but rotation alone is incomplete if the identity is still overprivileged or poorly monitored. The stronger model combines short-lived credentials, entitlement minimisation, and anomaly detection for unusual usage, failed rotations, or unexpected privilege escalation. Practical implication: govern machine identities as a lifecycle and detection problem together, not as a credential-only task.
Practical implication: pair automated rotation with privilege reduction and behavioural monitoring.
Threat narrative
Attacker objective: The attacker aims to turn a single exposed machine identity into broader access across connected systems and workloads.
- Entry occurs when exposed machine credentials, such as API keys or service account secrets, are discovered in cloud, code, or integration surfaces.
- Escalation follows when those identities carry standing or excessive permissions that let an attacker move beyond the original workload boundary.
- Impact emerges through unauthorized access to applications, databases, cloud services, or downstream automation that relies on the same identity trust.
Breaches seen in the wild
- Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
- Dropbox Sign breach — compromised Dropbox Sign service account exposed API keys and OAuth tokens.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Machine identity governance has moved from hygiene to core control plane. When machine identities outnumber humans, the problem is no longer whether the enterprise has a policy, but whether that policy can keep pace with machine creation, delegation, and expiry. Governance for service accounts, keys, and certificates must operate as a live control plane, not a periodic review exercise. The implication is that identity teams now have to manage machine population drift as a standing risk, not an edge case.
Ownership ambiguity is the failure mode that makes machine identities ungovernable. If no one can say who owns a credential, review, rotation, and offboarding all degrade at the same time. That is why incomplete ownership is not a documentation issue, but a governance failure that weakens accountability, auditability, and remediation. Practitioners should treat identity ownership as the first governance control, because every other control depends on it.
Credential sprawl is now a blast-radius problem, not just a secrets problem. The article is right to separate management from governance, because the security issue is not merely how many secrets exist, but how much access each one carries. Excessive permissions on machine identities create a much larger failure domain than a simple leaked token would suggest. The practical conclusion is that entitlement scope must be reduced alongside inventory and rotation.
Machine identity lifecycle controls need to extend into AI-driven automation. The article correctly includes AI agents among machine identities, which means lifecycle governance must now cover autonomous or semi-autonomous runtime access as well as classic service accounts. That broadens the scope of identity governance from static infrastructure to systems that can request and use access at machine speed. Practitioners should align machine identity governance with broader non-human identity oversight before autonomous usage patterns become the norm.
Certificate expiry and dormant credentials remain the most visible signs of a weak governance model. Outages and stale access are not separate operational annoyances, they are evidence that inventory, rotation, and recertification are not synchronized. When the enterprise cannot see expiry risk or inactive identities, it cannot credibly claim control over machine identity risk. The practitioner takeaway is simple: if expiry and dormancy are recurring, governance is already lagging.
From our research:
- 53% of organisations have experienced a security incident directly related to machine identity management failures, according to The Critical Gaps in Machine Identity Management report.
- 59% of companies face greater difficulties auditing machine identities, primarily due to lack of clear ownership and limited visibility.
- That governance gap is already operational at scale, which is why teams should also review the Ultimate Guide to NHIs for lifecycle and control design.
What this signals
Machine identity sprawl is now a governance signal, not just an operations metric. With 74% of organisations saying machine identity management complexity has increased significantly in the past two years, programme owners should assume the control environment will keep drifting unless discovery and review are continuous. The practical test is whether inventory, ownership, and rotation evidence can be produced without manual assembly.
The next phase of NHI governance is less about counting identities and more about proving which identities are still justified, which are overprivileged, and which are now orphaned. Teams that cannot answer those questions at speed will keep discovering risk through incidents and audits rather than through control design.
Credential lifetimes and accountability windows are becoming the decisive control boundary. As machine identities are treated more like governed lifecycles than static assets, teams should expect more pressure to align access review, secrets rotation, and compliance evidence in one workflow. For a standards view of that shift, the NIST Cybersecurity Framework 2.0 remains the most practical external reference point.
For practitioners
- Build a live inventory of machine identities Track service accounts, API keys, certificates, tokens, workload identities, and automation accounts in one control view, then reconcile that inventory against cloud, CI/CD, and application sources on a continuous basis.
- Assign accountable business and technical owners Require each machine identity to map to both a business owner who can justify the access and a technical owner who can confirm the workload dependency and support lifecycle decisions.
- Review high-risk machine permissions on a fixed cadence Prioritise privileged service accounts, exposed API credentials, and production workload identities for recurring recertification so dormant access and privilege creep are removed before audit time.
- Automate rotation for certificates and secrets Use automated rotation for API keys, certificates, and tokens where manual change control cannot keep pace with deployment volume or expiry risk.
Key takeaways
- Machine identity governance is failing most visibly at the points where ownership, inventory, and lifecycle control should meet.
- The scale problem is already material, with machine identities outnumbering human users in most environments and incidents tied directly to machine identity failures.
- The fastest gains come from continuous discovery, accountable ownership, entitlement reduction, and automated rotation working as one control system.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Discovery and inventory are central to machine identity governance gaps. |
| NIST CSF 2.0 | PR.AC-4 | Least privilege and access governance apply directly to machine identities. |
| NIST Zero Trust (SP 800-207) | PR.AC-1 | Machine identities require continuous verification, not static trust. |
Review machine entitlements for least privilege and remove standing excess access.
Key terms
- Machine Identity Governance: The policies and operating controls used to discover, own, review, and retire non-human identities across their lifecycle. It extends machine identity management by adding accountability, auditability, entitlement validation, and compliance evidence so service accounts, certificates, tokens, and workload identities stay governed instead of merely provisioned.
- Credential Sprawl: The uncontrolled growth of secrets, tokens, certificates, and service accounts across environments. It creates visibility gaps, makes ownership harder to assign, and increases the chance that credentials remain active after their original purpose has ended.
- Standing Privilege: Persistent access that remains available to a machine identity outside the moment it is needed. In machine identity governance, standing privilege expands blast radius because the identity can be abused long after deployment, especially when review and rotation processes are manual or delayed.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM or identity security programme, it is worth exploring.
This post draws on content published by SecurEnds: machine identity governance and the controls enterprises need. Read the original.
Published by the NHIMG editorial team on 2026-06-29.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org