TL;DR: Non-human identities now outnumber human users 82 to 1 in the first half of 2025, and 50% of organisations reported NHI-linked breaches in the past twelve months, according to CyberArk and NHIMG. The governance problem is not volume alone but unmanaged credentials, missing ownership, and controls that still assume human-paced access patterns.
At a glance
What this is: This is an analysis of why non-human identities have become a blind spot in modern cybersecurity, with the central finding that unmanaged machine credentials create broad and persistent access risk.
Why it matters: It matters because IAM, PAM, and IGA programmes that do not govern service accounts, tokens, API keys, and certificates alongside human identities leave a large part of the enterprise access estate outside control.
By the numbers:
- In the first half of 2025, non-human identities outnumbered human users by a ratio of 82 to 1, according to CyberArk.
- 77% acknowledge that every undiscovered machine identity is a latent vulnerability, according to CyberArk.
- 50% of organisations have suffered breaches linked to non-human identities in the past twelve months, according to NHI Mgmt Group.
👉 Read Soffid's article on non-human identity blind spots in modern cybersecurity
Context
Non-human identity governance is the discipline of controlling machine credentials, service accounts, tokens, API keys, and certificates with the same rigor applied to human access. The problem is that these identities often accumulate outside the core IAM programme, which means no clear owner, weak rotation, and limited monitoring.
The article argues that the real failure is not that NHIs exist, but that they are treated as background infrastructure rather than first-class identities. That is a familiar pattern in mature environments, where cloud platforms, integrations, and AI-enabled workflows create more credentials faster than security teams can inventory and govern them.
Key questions
Q: How should security teams govern non-human identities alongside human accounts?
A: Security teams should govern non-human identities in the same identity programme as human accounts, but with controls tuned to machine behaviour. That means ownership, inventory, rotation, least privilege, logging, and retirement must all be explicit. If NHIs sit outside IAM, PAM, or IGA, they become unowned access paths rather than governed identities.
Q: Why do machine identities create more risk than many teams expect?
A: Machine identities create more risk because they are numerous, persistent, and often invisible to standard access review processes. A single exposed API key or service account can provide broad access without a login event or human intervention. The risk rises sharply when credentials are reused, over-privileged, or left unrotated.
Q: What do organisations get wrong about vaulting secrets?
A: Organisations often treat vaulting as the finish line when it is only one control in the chain. A secret stored safely can still be over-privileged, unrotated, or used by an identity with no accountable owner. Real security requires vaulting plus lifecycle control, monitoring, and revocation.
Q: Which framework should teams use for non-human identity governance?
A: OWASP NHI guidance is the most direct starting point for machine identity governance, with NIST CSF useful for linking discovery, protection, detection, and response. Teams should use the framework to structure inventory, rotation, and access review work rather than treating NHI as an isolated technical problem.
Technical breakdown
Why unmanaged machine credentials become permanent access paths
A non-human identity is a digital credential used by a machine, service, or application to authenticate and access resources. The security problem begins when these credentials are issued without lifecycle ownership, rotation, or telemetry. Unlike human identities, NHIs often persist in code, pipelines, integrations, and vaults long after the original business need has changed. That creates standing access paths that are hard to see and harder to retire. In practice, the risk is not just compromise of a secret but accumulation of invisible trust relationships across cloud and SaaS environments.
Practical implication: centralise ownership and rotation for every machine credential before it becomes an untracked access path.
How NHI sprawl defeats visibility and least privilege
NHI sprawl occurs when service accounts, API keys, and tokens multiply across teams and platforms faster than governance can classify them. Once that happens, least privilege becomes difficult to enforce because the security team does not have a complete inventory of who or what holds access. Over-privilege is then reinforced by convenience, especially in automated workflows where broad access is granted to avoid breaking integrations. Centralised identity management is therefore not a reporting exercise, it is the only way to apply consistent policy across machine identities.
Practical implication: inventory all NHIs, map their owners and entitlements, and remove broad access that exists only to keep integrations running.
Why vaulting and credential rotation still need governance
Vaulting protects secrets at rest, but it does not by itself solve governance. If rotation, logging, and anomaly detection are not tied to the same identity engine, the organisation still cannot tell whether a token is active for a valid reason or simply forgotten. Sanitised logs matter because API keys and tokens can otherwise leak into incident data and monitoring feeds. Effective NHI control therefore combines secure storage, automatic rotation, least privilege, and auditability in one operating model rather than treating each as a standalone tool.
Practical implication: pair vaulting with rotation, masking, and monitoring so secret protection does not stop at storage.
Threat narrative
Attacker objective: The attacker wants to exploit hidden machine access paths to reach systems and data without triggering the controls designed for human authentication.
- Entry occurs when exposed secrets, API keys, or service account credentials are discovered in code, logs, pipelines, or third-party integrations.
- Escalation follows when those standing credentials provide broad access without tight scope, allowing the attacker to move through connected systems or reuse trust relationships.
- Impact is reached when the attacker uses persistent machine access to exfiltrate data, disrupt operations, or establish durable access that is difficult to detect and revoke.
Breaches seen in the wild
- Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
- IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
NHI sprawl is the control problem, not just the inventory problem. The article correctly points to proliferation, but the deeper issue is that identity programmes still treat many machine credentials as operational clutter rather than governed identities. Once service accounts and tokens outnumber human users at scale, unmanaged access becomes a structural risk, not an exception. Practitioners should treat visibility as a prerequisite to policy enforcement, not a dashboard metric.
Blind-spot governance is the right named concept for this risk. An organisation can own an IAM platform and still fail if NHIs exist outside its control plane, because the real vulnerability is not existence but exclusion from governance. This is where OWASP-NHI and NIST CSF alignment matters: the control objective is not simply protecting secrets, but ensuring every machine identity is discoverable, attributable, and revocable. The practitioner conclusion is that any identity programme without NHI coverage is incomplete by design.
Least privilege does not hold when machine identities are provisioned for convenience. The article describes broad access, but the underlying pattern is that automated systems are often granted more privilege than their actual task requires because teams optimise for uptime. That creates durable blast radius when a secret is exposed or reused. The operational lesson is to remove convenience-based over-privilege from machine access models before it becomes the default.
Vaulting alone does not close the governance gap. Secure storage is valuable, but if rotation, masking, and anomaly detection are not bound to lifecycle ownership, the organisation still lacks a complete access story. This is why NHI governance must sit inside IAM, PAM, and IGA rather than beside them. The practitioner implication is clear: treat machine credentials as governed identities with owners, reviews, and retirement paths.
The market is moving toward unified identity control planes for humans and machines. The article’s emphasis on centralisation reflects a wider shift: security teams no longer have the tolerance for separate tools that each manage a slice of identity risk. That direction is consistent with NIST-CSF and OWASP-NHI thinking, where discovery, policy enforcement, and response must be connected. Practitioners should expect governance models that do not unify human and non-human identity to become increasingly hard to defend.
From our research:
- 50% of organisations have suffered breaches linked to non-human identities in the past twelve months, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
- For a deeper view of the breach patterns behind that figure, see 52 NHI Breaches Analysis, which maps common failure modes across real incidents.
What this signals
Blind-spot governance: this is the point at which NHI risk becomes an operating-model issue, not a tooling issue. If the programme cannot discover every machine credential, it cannot certify or retire access with confidence. That is why coverage, attribution, and ownership have to be built into the identity lifecycle from the start.
With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, according to the State of Non-Human Identity Security, the same blind-spot pattern is already present in connected ecosystems. Teams that only govern internal service accounts will still miss the delegated access paths that attackers often prefer.
Practitioners should expect NHI governance to converge with broader identity architecture choices, especially around the Ultimate Guide to NHIs and OWASP NHI guidance. The organisations that build one control model for discovery, rotation, and revocation will be better placed to absorb cloud, SaaS, and AI-driven growth without multiplying their attack surface.
For practitioners
- Build a complete NHI inventory Map service accounts, API keys, tokens, and certificates to owners, business purpose, and system scope. Make the inventory part of the identity programme, not a separate asset register.
- Tie rotation to lifecycle ownership Require each machine credential to have an owner, rotation cadence, and retirement trigger. Credentials that cannot be rotated or retired on schedule should be treated as high risk.
- Reduce privilege before a secret is exposed Review every non-human identity for access that exceeds its task scope, then remove standing permissions that exist only to avoid operational friction.
- Mask secrets in logs and detection feeds Ensure tokens, API keys, and certificates are sanitised before they reach monitoring, ticketing, or incident records so they cannot become secondary exposure paths.
- Unify IAM, PAM, and IGA for machine identities Use one governance model so discovery, policy enforcement, approval, and certification apply consistently to both human and non-human identities.
Key takeaways
- Non-human identities have become a primary blind spot because they are numerous, persistent, and often outside the core identity programme.
- The evidence is now broad enough to treat NHI governance as an operational requirement, not an emerging best practice.
- The practical response is to unify ownership, rotation, least privilege, and monitoring across every machine credential.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | The article centres on unmanaged credentials and poor rotation across NHIs. |
| NIST CSF 2.0 | PR.AC-4 | Least privilege and access management are central to the article's governance model. |
| NIST SP 800-53 Rev 5 | IA-5 | Credential lifecycle and authenticator management directly apply to machine secrets. |
| NIST Zero Trust (SP 800-207) | The article's zero-trust implications depend on continuous verification of machine access. | |
| MITRE ATT&CK | TA0006 , Credential Access; TA0008 , Lateral Movement | Exposed secrets and over-privileged access map to common attacker tactics. |
Track exposed machine credentials to credential access and lateral movement detection priorities.
Key terms
- Non-Human Identity: A non-human identity is a digital credential used by a machine, service, workload, or application to authenticate and access resources. In practice, it includes API keys, service accounts, tokens, and certificates that must be governed as identities, not treated as background infrastructure.
- NHI Sprawl: NHI sprawl is the uncontrolled growth of machine identities across cloud, SaaS, and integration environments. It creates governance drift because security teams lose visibility into ownership, privilege, and retirement, which makes access review and revocation incomplete even when tools exist.
- Secret Rotation: Secret rotation is the planned replacement of credentials such as keys, tokens, and certificates so old values cannot be reused indefinitely. For non-human identities, rotation only works when it is tied to ownership, monitoring, and revocation, otherwise it becomes a mechanical task with little governance value.
- Identity Blast Radius: Identity blast radius is the amount of access an identity can expose if it is compromised or misused. For machine identities, the blast radius is often larger than teams expect because credentials are long-lived, widely reused, and frequently granted more privilege than the task actually needs.
What's in the full article
Soffid's full article covers the operational detail this post intentionally leaves for the source:
- The article's own framing of why NHIs sit outside traditional controls in many environments.
- The practical examples of how centralised IAM, PAM, and IGA are positioned to reduce blind spots.
- The vendor's description of vaulting, automatic rotation, least privilege, and sanitised logging as a combined operating model.
👉 Soffid's full post expands on why visibility, rotation, and centralised governance matter for NHIs.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-05-05.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org