TL;DR: Non-human identities now outnumber human users by 144 to 1 and are growing 4 to 10 times faster, while fewer than 25% of organisations have formal policies for creating or decommissioning them, according to Commvault. The real governance problem is not just more machine accounts, but a machine-layer attack surface that traditional human-centric controls do not reliably see.
At a glance
What this is: This is a Commvault analysis arguing that NHI sprawl, excessive privilege, and vishing-driven account takeover are creating a larger machine-layer attack surface than most identity programmes govern today.
Why it matters: It matters because IAM, PAM, and IGA teams have to manage NHIs as first-class identities, or they will keep remediating human accounts while attacker access persists in service accounts, tokens, and API keys.
By the numbers:
- Non-human identities now outnumber human users by a ratio of 144 to 1, and they are growing 4 to 10 times faster than human accounts.
- 25% of organisations have formal policies governing NHI, verning NHI creation or decommissioning.
- 449% in 2025.
👉 Read Commvault's analysis of NHI identity debt, vishing, and machine-layer compromise
Context
NHI identity debt is what happens when service accounts, API keys, OAuth tokens, and other machine identities are created faster than governance can track them. In this article, Commvault argues that the resulting exposure is no longer hypothetical, because attackers are using human-facing social engineering to reach machine-layer credentials.
The important shift is that the human account is often only the entry point. Once an attacker gets an MFA reset or help desk-assisted login, the real persistence risk sits in over-permissioned NHIs, long-lived secrets, and forgotten admin-level service accounts that traditional human-centric monitoring does not map cleanly back to ownership or lifecycle controls.
Key questions
A: Treat the event as a dual-layer identity incident. Revoke the human session, then immediately trace and disable downstream NHI credentials, including OAuth tokens, service accounts, API keys, and certificates. The objective is not only to close the entry point, but to remove the attacker’s persistence path before it moves deeper into systems and data.
Q: Why do NHIs make recovery harder than human account compromise?
A: Because NHIs often outlive the user action that exposed them and are not covered by the same user-focused remediation flow. A human password reset does not automatically revoke machine credentials or restore least privilege. That means the attacker can remain active in the environment even after the visible compromise has been fixed.
Q: What do organisations get wrong about non-human identity governance?
A: They treat NHIs as a tooling by-product instead of a governed identity class. That leads to missing owners, stale credentials, excessive permissions, and poor decommissioning. The result is identity debt, where access persists long after the workload or project that created it has changed.
Q: Who should be accountable for service accounts and tokens after a compromise?
A: The business or technical owner who can prove the identity’s purpose, scope, and retirement path should be accountable. Shared or anonymous ownership is a control failure because it prevents timely revocation, review, and rollback. Without accountable ownership, machine identities become permanent blind spots in incident response.
Technical breakdown
Why machine-layer access survives human account remediation
The core failure is separation between the human front door and the machine back plane. A reset, password change, or MFA re-enrolment can close the human account event while OAuth grants, service account permissions, and API keys continue to function. That is why NHI compromise often looks clean in the identity provider but remains active in downstream systems. Static secrets and over-broad OAuth grants also reduce the visibility needed to tell legitimate automation from attacker persistence. Practical implication: treat the machine credential, not just the user session, as the recovery object.
Practical implication: build revocation and rollback steps that target tokens, service accounts, and API grants, not only the human account.
Why excessive permissions turn NHIs into blast-radius multipliers
Most NHIs are provisioned for convenience and then left to accumulate access as projects evolve. Over time, that creates identity debt: credentials that still work, still have admin scope, and are no longer tied to a current business owner. In practice, the danger is not only compromise, but unchecked lateral reach once a single machine identity is abused. This is why NHIs behave more like high-value infrastructure than ordinary application users. Practical implication: privilege scope must be reviewed against current workload function, not historic deployment intent.
Practical implication: recertify NHI permissions against live workload requirements and remove access that outlived the project or team that created it.
How recovery-first identity security changes the control model
Recovery-first security accepts that some identity attacks will succeed because the control gap is governance, not just detection. The architecture therefore shifts from trying to block every initial foothold to rapidly identifying malicious identity changes and restoring a trusted state. That means correlating help desk activity, MFA resets, token creation, new service account provisioning, and privilege changes into one sequence. It also means treating rollback as an identity control, not just an incident response task. Practical implication: if identity telemetry cannot reconstruct the sequence, you cannot reliably recover from it.
Practical implication: correlate human and machine identity events so unauthorized privilege changes can be identified and reversed before attacker persistence spreads.
Threat narrative
Attacker objective: The attacker wants durable access that survives user remediation by shifting from the human account to machine identities with broader and less monitored reach.
- Entry begins with voice phishing or help desk impersonation that induces an MFA reset or account recovery event, giving the attacker legitimate access through the human identity path.
- Escalation occurs when the attacker pivots into the machine layer by stealing OAuth tokens, creating service accounts, or inheriting over-permissioned NHI access that was never tightly governed.
- Impact follows when that machine-layer access persists after the human account is remediated, allowing long-lived control over systems, data, and administrative workflows.
Breaches seen in the wild
- Dropbox Sign breach — compromised Dropbox Sign service account exposed API keys and OAuth tokens.
- Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
NHI identity debt is the real control gap, not just identity sprawl. Years of provisioning without lifecycle discipline create credentials that remain active after the work they supported has changed. Fewer than 25% of organisations have formal policies for NHI creation or decommissioning, which means the attack surface is expanding faster than ownership and review processes can keep up. The practitioner conclusion is simple: if the identity has no lifecycle, it has no governable boundary.
Machine-layer persistence survives human remediation because the control model is still human-centred. A help desk reset or MFA recovery action closes one doorway, but it does not revoke the OAuth grants, API keys, or service accounts that already exist in the environment. That creates a broken assumption in IAM programmes: the belief that account recovery ends the incident. In reality, the incident often moves into the non-human layer where monitoring is weaker and accountability is diffuse. The practitioner conclusion is that identity recovery must include machine credentials, not just user sessions.
Identity blast radius is now governed more by privilege scope than by initial access method. The 144 to 1 ratio of NHIs to humans means the next compromise is more likely to land on a machine identity than a person, and once it does, excessive permissions amplify the impact. This aligns with OWASP Non-Human Identity Top 10 and the Ultimate Guide to NHIs , Key Challenges and Risks: over-privilege is not a hygiene issue, it is a blast-radius issue. The practitioner conclusion is to govern scope as a containment control, not an administrative detail.
Recovery-first identity security is becoming the only realistic operating model for under-governed NHI estates. Traditional prevention-first assumptions fail when attackers can blend social engineering with machine-layer persistence. Correlating identity events across help desk, MFA, token issuance, and service account creation is therefore more valuable than treating each event as a separate alert stream. The practitioner conclusion is to design for rollback speed, because containment is increasingly a race against identity propagation.
Named concept: identity debt. This is the accumulation of unmanaged credentials, excessive permissions, and missing lifecycle controls that create hidden access persistence over time. The concept matters because it explains why mature-looking IAM programmes can still fail under machine-layer attack. The practitioner conclusion is to measure identity debt explicitly, then reduce it as a core governance objective.
From our research:
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
- 62% of all secrets are duplicated and stored in multiple locations, causing unnecessary redundancy and increasing the risk of accidental exposure.
- That same research shows 60% of NHIs are being overused, with the same NHI utilised by more than one application, which is why lifecycle control must move upstream into ownership and scope decisions.
What this signals
Identity debt will remain the hidden failure mode in NHI programmes. When credentials persist after ownership has changed, every new workload inherits old risk. That is why the next maturity step is not more inventory alone, but lifecycle control tied to decommissioning, privilege scope, and accountability. For background, practitioners can use the NHI Lifecycle Management Guide alongside the OWASP Non-Human Identity Top 10.
Recovery time is becoming an identity control in its own right. If a programme cannot reverse unauthorized token creation or service account provisioning quickly, then it is still assuming prevention will always hold. The operational question for IAM and PAM teams is how fast they can return the environment to a known-trusted state after the human entry point has already failed.
Machine credentials need the same accountability model that human identities already receive. As environments grow more automated, the governance gap is not visibility alone. It is the absence of named ownership, clear retirement triggers, and auditable rollback paths for non-human access.
For practitioners
- Map the machine-layer recovery path Require incident runbooks to revoke OAuth grants, service accounts, API keys, and certificates when a human account is reset or recovered. Do not treat user remediation as the end of the event, because attacker persistence often continues in NHI credentials.
- Inventory and own every NHI Build a complete register of service accounts, tokens, and keys with named business owners, creation dates, and decommissioning triggers. If a credential cannot be assigned an owner and expiry path, it is already outside governance.
- Reduce standing privilege on machine identities Remove unnecessary administrative scope from long-lived credentials and replace it with task-specific access where the workload allows it. This narrows the blast radius when an attacker reaches the machine layer.
- Correlate human and machine identity events Join help desk, MFA, token issuance, new service account creation, and privilege change logs into one identity timeline. The goal is to detect the chain early enough to stop persistence before it spreads across systems.
- Test rollback against real identity compromise paths Run recovery exercises that simulate social engineering leading into machine credential abuse, then measure how quickly the environment returns to a known-trusted state. If rollback cannot unwind identity changes cleanly, the recovery model is incomplete.
Key takeaways
- NHI sprawl, excessive privilege, and missing lifecycle controls have created a machine-layer attack surface that human-focused IAM controls do not fully govern.
- The evidence points to a large and persistent exposure problem, with NHIs vastly outnumbering humans and former employee tokens often remaining active after offboarding.
- IAM teams should treat machine credential revocation, ownership, and rollback as core security controls, not administrative cleanup.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | NHI sprawl, excessive privilege, and poor lifecycle control are central in this article. |
| NIST CSF 2.0 | PR.AC-4 | The article focuses on limiting and reviewing access rights for machine identities. |
| NIST SP 800-53 Rev 5 | IA-5 | Credential management and rotation are central to limiting machine-layer persistence. |
| NIST Zero Trust (SP 800-207) | The article supports continuous verification and reduced trust in identity-based access. | |
| MITRE ATT&CK | TA0006 , Credential Access; TA0008 , Lateral Movement | Vishing leading to token theft and machine access maps to credential access and lateral movement. |
Use IA-5 to govern secrets, rotate credentials, and revoke compromised machine access quickly.
Key terms
- Identity Debt: Identity debt is the accumulation of unmanaged credentials, over-permissioned accounts, and missing lifecycle controls that creates hidden access risk over time. In NHI environments, it shows up as stale tokens, forgotten service accounts, and access that still works even though the original business need has changed.
- Machine-Layer Access: Machine-layer access is the set of permissions used by service accounts, tokens, API keys, and other non-human identities to connect systems and perform work. It matters because it often bypasses human-style controls such as MFA prompts, user session monitoring, and normal authentication alerts.
- Recovery-First Security: Recovery-first security is an operating model that assumes some attacks will get through and therefore prioritises rapid detection, identity rollback, and return to a trusted state. For NHIs, that means revoking tokens, disabling service accounts, and removing unauthorised privilege changes as part of containment.
- Standing Privilege: Standing privilege is access that remains continuously available instead of being granted only for a specific task or time window. For non-human identities, it creates durable blast radius because the same credential can be reused, abused, or left active long after the original workload no longer needs it.
What's in the full article
Commvault's full article covers the operational detail this post intentionally leaves for the source:
- The full breakdown of how vishing, MFA resets, and help desk impersonation are chained into machine-layer access.
- Examples of how OAuth abuse and service account creation keep attacker access alive after the human account is remediated.
- The article's recovery-first framing for rollback, privilege rollback, and identity-state restoration.
- The specific ways traditional tools miss NHIs because they are built around human behaviour patterns.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-05-14.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org