NHI growth is reshaping PAM, IAM and IGA governance

At a glance

What this is: This analysis argues that NHI growth is exposing gaps in IAM, IGA and PAM because modern identity risk is defined by access pathways into sensitive systems, not by the number of accounts.

Why it matters: It matters because identity programmes now have to govern humans, service accounts and emerging agentic identities through the same control model without losing sight of privileged access, review discipline and exposure reduction.

By the numbers:

• NHIs outnumber human identities by 25x to 50x in modern enterprises.
• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

👉 Read P0 Security's analysis of NHI growth and the future of PAM

Context

Non-human identity risk is the growing gap between how access is granted and how access is actually used. Service accounts, API keys, tokens and certificates now sit on the same critical paths as human users, but most identity programmes still measure inventory and authentication coverage more readily than exposure to sensitive systems.

That gap becomes more visible in hybrid and multi-cloud environments, where privileged access is distributed across platforms and teams rely on IAM, IGA and PAM controls that were built around stable human accounts. The article’s core point is that identity governance now has to follow access pathways, not just identity counts, and that is why privileged access management is being pulled into the centre of NHI governance.

For practitioners, the practical question is not whether NHIs exist in large numbers. It is whether the organisation can identify which ones can reach crown-jewel systems, who owns them, and whether review and revocation processes keep pace with the way those identities are actually used.

Key questions

Q: How should security teams govern NHIs that have privileged access in hybrid environments?

A: Security teams should govern privileged NHIs by tying each identity to a named owner, a specific business function and a documented set of reachable systems. In hybrid environments, the key is consistency across clouds, because fragmented controls create blind spots in review, rotation and offboarding. PAM, IAM and IGA need shared entitlement data and a common lifecycle process.

Q: Why do NHIs complicate PAM and IAM programmes?

A: NHIs complicate PAM and IAM because their access is often embedded in automation, APIs and service integrations rather than in interactive logins. That means the real control problem is not authentication alone, but entitlement scope, credential lifecycle and visibility into where the identity can operate. Human-centric review processes usually miss those pathways.

Q: What breaks when identity governance focuses only on account counts?

A: When governance focuses only on account counts, teams miss the identities that can actually reach sensitive data or production systems. A small set of highly privileged service accounts can create far more risk than a large inventory of low-impact identities. Exposure analysis must replace raw inventory as the primary risk signal.

Q: Who should own revocation and review for non-human identities?

A: Ownership should sit with the team that depends on the identity for business operations, but with a formal control owner in IAM, IGA or PAM who can enforce lifecycle actions. Without that split, offboarding becomes ambiguous and privileged access persists after the workload, vendor relationship or automation path has changed.

Technical breakdown

Why access pathways matter more than NHI counts

The article’s most useful technical distinction is between inventory and exposure. A service account can be harmless in isolation, but once it has a path to customer data, production workloads or admin APIs, it becomes a governance problem. That is why NHI programmes need to model reachable privilege, not just the number of identities. In practice, this is a graph problem as much as a credential problem: what can this token, role or key reach, through which trust chain, and under what conditions?

Practical implication: Map each NHI to the systems it can actually reach, then remove or constrain any pathway that is not operationally required.

How PAM changes when the privileged actor is non-human

Traditional PAM assumes a human operator who requests elevation, uses it briefly and can be reviewed later. NHIs break that mental model because privileged access may be persistent, machine-mediated and distributed across automation layers. PAM therefore has to move from session-only control to entitlement governance, credential scope and lifecycle enforcement. The important shift is that privileged access for NHIs is often embedded in application workflows, so the control surface includes secret issuance, token scope, rotation and offboarding, not only interactive elevation.

Practical implication: Extend PAM controls to machine credentials, enforce least privilege at issuance, and tie every privileged NHI to an explicit owner and lifecycle.

Why multi-cloud makes identity governance harder

Multi-cloud and hybrid environments multiply the number of access pathways without creating a single control plane. That makes it harder for IAM, IGA and PAM tools to agree on the same source of truth for NHI ownership, entitlement and revocation. When the same workload identity can touch several cloud platforms, the real failure mode is inconsistent visibility across environments. Governance has to be consistent even when the execution environment is not. Without that, access reviews become partial and revocation becomes uneven.

Practical implication: Build a cross-platform inventory of NHI entitlements and review it against the same ownership and offboarding standard in every environment.

NHI Mgmt Group analysis

Access pathways, not identity counts, are the governing unit of NHI risk. The article is right to reject headline metrics that focus only on volume. A CISO does not suffer because an enterprise has many service accounts, but because one of them can reach sensitive systems through an overlooked trust chain. That shifts the discipline from counting identities to measuring exposure paths. The implication is that NHI governance must be built around reachability, not population size.

PAM is becoming the control plane for NHI privilege, not just human elevation. The future described here does not require inventing a fourth pillar of identity, but it does require PAM to absorb machine credentials, scoped secrets and workflow-bound privilege. That matters because privileged access is now expressed through tokens, roles and APIs as often as through interactive sessions. Practitioners should treat privileged machine access as first-class PAM territory.

Hybrid and multi-cloud identity sprawl exposes the limits of fragmented governance. When one workload identity can operate across several platforms, access review and revocation only work if ownership, entitlement and offboarding are coordinated across those environments. The problem is not merely tool overlap, but inconsistent governance boundaries. The implication is that identity programmes need a single accountable model for NHI lifecycle control across cloud estates.

NHIs outnumber human identities by 25x to 50x in modern enterprises. That scale creates a structural asymmetry between the number of identities and the number of staff who can govern them. The result is not just more work, but a different operating model, where automation, ownership and visibility become prerequisites rather than optimisation projects. Practitioners should assume that human-style review processes will not scale without NHI-specific controls.

Excess privilege is the real accelerant of NHI compromise. The article’s emphasis on whether a stray token, role or API key can reach crown-jewel assets points to the core failure mode. Excess privilege turns ordinary credentials into breach pathways and makes remediation lag far more dangerous. The implication is that least privilege has to be measured by reachable asset exposure, not by policy language alone.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, which explains why privilege persists long after teams think they have closed the loop.
• For a deeper control perspective, NHI Lifecycle Management Guide shows how provisioning, rotation and offboarding should be connected across the identity lifecycle.

What this signals

Excess privilege is the signal to watch first: in NHI programmes, the biggest risk is not credential volume but the number of identities that can touch sensitive systems without a business-justified reason. Teams should prioritise reachable privilege reduction before they try to normalise every inventory source.

The governance model will keep shifting toward unified lifecycle control across humans, machine identities and emerging agentic identities, because the same review and offboarding problem now appears in three forms. The practical test is whether the programme can prove ownership, scope and revocation across clouds, not whether it can enumerate every account.

With only 5.7% of organisations reporting full visibility into service accounts, visibility itself is now a programme maturity milestone rather than an operational nice-to-have. That is why identity teams should pair inventory work with lifecycle enforcement and external standards such as the NIST Cybersecurity Framework 2.0.

For practitioners

• Inventory reachable NHI privilege Build an inventory of service accounts, API keys, tokens and certificates that can reach production or customer data, then classify them by actual access pathways rather than by owner team alone.
• Bind each NHI to a named owner Require an accountable human or system owner for every privileged NHI so offboarding, review and exception handling have a clear decision point.
• Consolidate PAM and lifecycle controls Treat rotation, offboarding and privilege review as a single control chain so machine credentials are removed or narrowed when the underlying workload, vendor or workflow changes.
• Measure exposure instead of volume Report the number of NHIs that can reach crown-jewel assets, the number with standing privilege, and the number that lack a current review, because those signals show whether governance is improving.

Key takeaways

• NHI governance fails when teams measure account volume instead of reachable access to sensitive systems.
• Excess privilege, fragmented hybrid visibility and weak offboarding are the controls most likely to leave privileged machine access exposed.
• Identity programmes should unify PAM, IAM and IGA around ownership, lifecycle and exposure reduction for humans and NHIs alike.

Key terms

• Non-Human Identity: A non-human identity is a digital identity used by a workload, service account, API key, token, certificate or agent to authenticate and access systems. In practice, it can carry real privilege and create breach exposure if ownership, scope and lifecycle are not governed.
• Access Pathway: An access pathway is the route an identity can take to reach a sensitive system, application or dataset. It is more useful than raw identity counts because it shows whether a token, role or account can actually touch crown-jewel assets through a trust chain.
• Privileged Access Management: Privileged access management is the discipline of controlling high-risk access that can change systems, data or security settings. For NHIs, PAM extends beyond interactive sessions to include credential scope, rotation, entitlement review and lifecycle offboarding.
• Identity Exposure: Identity exposure is the amount of real business or technical damage an identity can cause if abused. It is determined by reachability, privilege and persistence, not simply by whether the identity exists or how often it authenticates.

What's in the full article

P0 Security's full post covers the operational detail this analysis intentionally leaves for the source:

• The article’s interview framing with Lalit Choda and how that conversation shaped the PAM perspective.
• The specific arguments used to compare IAM, IGA and PAM responsibilities for humans and NHIs.
• The Black Hat discussion points about hybrid and multi-cloud access complexity.
• The article’s closing view on whether teams should add point solutions or adapt the platforms they already run.

👉 P0 Security's full post adds the interview context and platform strategy discussion behind this identity governance argument.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.