Non-human identity governance is lagging behind machine sprawl

At a glance

What this is: This is a Delinea analysis of why non-human identities have become the silent majority and why current governance models are not keeping pace with their scale and lifecycle risk.

Why it matters: It matters because IAM, PAM, IGA, and cloud teams need to govern service accounts, tokens, APIs, and bots as a distinct identity population, not as an afterthought to human access management.

By the numbers:

• Non-human identities such as service accounts, application tokens, CI/CD tools, and APIs can outnumber human users by 46 to 1.

👉 Read Delinea's analysis of non-human identity governance and machine sprawl

Context

Non-human identity governance is the discipline of creating, using, rotating, and retiring machine credentials with the same rigour applied to human access. In modern enterprises, the problem is no longer whether NHIs exist, but whether anyone can see them, scope them, and revoke them when their purpose ends.

Delinea's point is that current IAM models fail when NHIs are treated as static plumbing rather than governed identities. That gap shows up in overprivilege, secret leakage, weak offboarding, and limited monitoring, which is why lifecycle controls and zero trust thinking must extend across machine and automation identities.

Key questions

Q: What breaks when service accounts are reused across multiple applications?

A: Reusing the same service account across multiple applications makes blast radius much larger than the workload requires. If that credential is exposed, attackers can pivot into every system that trusts it, and defenders lose the ability to revoke access selectively. Unique identities per application are what make containment and accountability possible.

Q: Why do NHIs complicate zero trust architecture?

A: NHIs complicate zero trust because they authenticate non-interactively, often at machine speed, and may exist outside normal user review cycles. Zero trust still applies, but the control model has to include continuous discovery, precise entitlement scope, and fast revocation for credentials that can be reused or cloned without a person present.

Q: How do security teams know if NHI governance is working?

A: Good NHI governance shows up in fewer shared credentials, shorter secret lifetimes, clear ownership for every machine identity, and offboarding that actually removes unused accounts. If teams still find tokens in chat, code, or ticketing systems, or cannot prove who owns a service account, the programme is not under control.

Q: Who should own non-human identity risk in an enterprise?

A: Non-human identity risk should be owned jointly by IAM, PAM, cloud, and platform teams, with clear accountability for inventory, entitlement scope, rotation, and retirement. If ownership sits only with operations or only with security, NHIs tend to stay embedded in workflows without lifecycle control or auditable decision-making.

Technical breakdown

Why NHI discovery and inventory fail first

NHI discovery is the starting point because organisations cannot govern identities they cannot enumerate. Service accounts, API keys, tokens, certificates, and bot credentials often live across code repositories, ticketing systems, cloud consoles, and vaults, which creates fragmented visibility. Once credentials are scattered, the organisation loses the ability to answer basic questions about ownership, purpose, or exposure. That is why discovery is not just an inventory exercise. It is the control layer that makes later steps like rotation, offboarding, and privilege review technically possible.

Practical implication: establish continuous NHI discovery across repositories, collaboration tools, cloud platforms, and vaults before tightening policy.

How overprivileged service accounts expand blast radius

Overprivileged NHIs are dangerous because machine identities usually authenticate non-interactively and can be reused at scale by automated processes. When one credential has broad access, compromise of that credential becomes a path to lateral movement across applications, environments, or data stores. The risk is amplified when the same NHI is shared by multiple applications or when permissions are granted for convenience instead of function. Least privilege for NHIs therefore depends on precise scoping, ownership, and entitlement review, not just stronger authentication.

Practical implication: map effective permissions for each NHI and reduce shared or cross-application credentials first.

Why lifecycle management matters more than secret storage

Secret vaults reduce exposure, but they do not by themselves solve identity lifecycle failure. A credential can be vaulted, rotated, and still remain active long after the workload, vendor relationship, or application purpose has changed. That is why NHI governance has to include provisioning, rotation, decommissioning, and deactivation as one control chain. If offboarding is weak, long-lived or orphaned credentials become persistent entry points. Lifecycle management is the part of NHI security that turns a credential from a static asset into a governed identity with an end state.

Practical implication: tie vaulting to ownership and decommissioning workflows so retired NHIs are actually removed from service.

Threat narrative

Attacker objective: The attacker wants durable machine-level access that can be reused to move laterally, exfiltrate data, or operate inside business systems without relying on a human account.

1. Entry occurs through exposed or overused NHI credentials, such as tokens, API keys, or service accounts that were left accessible in normal collaboration or development workflows.
2. Escalation follows when the compromised credential carries broader permissions than the workload actually needs, allowing the attacker to move into adjacent systems or data.
3. Impact comes from persistent access, shared-use credentials, or weak offboarding, which lets the attacker reuse the same identity until detection and revocation catch up.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Non-human identity sprawl is now a governance problem, not just an operational one. When NHIs can outnumber human users by 46 to 1, the limiting factor becomes ownership, lifecycle, and review capacity rather than simple account creation. The article correctly shows that fragmented governance leaves machine identities exposed across development, cloud, and collaboration layers. Practitioners should treat NHI scale as a governance redesign trigger, not as an inventory footnote.

Human-use-of-NHI is a named failure mode, not a minor misuse pattern. The article's discussion of developers and admins using shared accounts for manual work captures a common control collapse: the identity stops reflecting the actor. That breaks auditability, privilege containment, and accountability at the same time. The implication is that machine identities must not become surrogate human accounts in day-to-day operations.

Lifecycle failure is the recurring weak point in NHI programmes. The same identity can be created quickly, reused broadly, and left active long after its original purpose ends. That pattern maps directly to OWASP-NHI concerns around offboarding, long-lived secrets, reuse, and insecure deployment configurations. Security teams should read this as evidence that lifecycle governance is the control plane for NHI risk.

Automated systems should be governed as identities, not tolerated as infrastructure. Bots, APIs, CI/CD tools, and AI-adjacent workflows all rely on credentials that can be enumerated, scoped, monitored, and retired. Zero Trust and NIST CSF thinking only work here when the machine subject is treated as an identity with explicit control ownership. Practitioners should align NHI management to NIST Cybersecurity Framework 2.0 and OWASP-NHI, not to ad hoc platform administration.

From our research:

• 64% of valid secrets leaked in 2022 are still valid and exploitable today, according to The State of Secrets Sprawl 2026.
• AI-related credential leaks surged 81.5% year-over-year in 2025, with the surrounding AI infrastructure leaking 5x faster than core LLM providers.
• Use the Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs to connect discovery, rotation, and offboarding into one operating model.

What this signals

Identity sprawl is now a programme design issue. When NHIs outnumber humans by 46 to 1, manual review cycles and spreadsheet governance cannot keep pace with the number of credentials that need ownership, scope, and retirement. Teams should expect their current IAM operating model to fail first at discovery and then at offboarding.

Secret exposure without revocation remains the central gap. GitGuardian's finding that 64% of valid secrets leaked in 2022 are still exploitable today shows why detection alone is insufficient. The operational shift is toward fast remediation, automated expiry, and lifecycle enforcement across vaults, code, and collaboration systems.

Machine identities need the same lifecycle discipline as human access. If your programme can review and offboard people but cannot reliably retire service accounts, tokens, and APIs, then your identity governance is incomplete. The practical next step is to make NHI ownership, review, and retirement visible in the same control plane as the rest of IAM.

For practitioners

• Build a complete NHI inventory across collaboration, code, and cloud systems Search for service accounts, tokens, API keys, certificates, and bot credentials in repositories, tickets, chat tools, and vaults. Assign each one an owner, purpose, and retirement condition so you can distinguish active identities from stale exposure.
• Break shared-use machine identities into one identity per application Eliminate cross-application reuse wherever possible, especially for credentials that touch production data or privileged systems. Unique identities reduce blast radius and make revocation, tracing, and entitlement review far more reliable.
• Link rotation to decommissioning and ownership checks Do not stop at secret rotation. Require the same workflow to confirm whether the workload still exists, whether the owner still needs access, and whether the credential should be retired instead of renewed.
• Detect human use of machine credentials as a policy violation Flag interactive use of service accounts and other non-human credentials, because it destroys auditability and often hides privilege escalation. Route those events into identity threat detection and access review workflows.

Key takeaways

• The article shows that NHI risk comes from scale, reuse, and weak lifecycle control, not just from secret leakage.
• Its evidence points to a governance gap where machine identities are created and consumed faster than they are inventoried, reviewed, and retired.
• The most effective response is to treat NHIs as governed identities with ownership, scope, and end-of-life controls, not as disposable technical artifacts.

Key terms

• Non-Human Identity: A non-human identity is a digital credential used by a machine, application, service, or script to authenticate and access systems. It includes service accounts, API keys, tokens, certificates, and similar secrets. These identities need ownership, scope, monitoring, and retirement just like human accounts.
• NHI Lifecycle Management: NHI lifecycle management is the process of governing a machine identity from creation through use, rotation, and decommissioning. It links provisioning, access review, secret handling, and offboarding so the identity does not outlive its business purpose or accumulate unnecessary privilege.
• Secret Sprawl: Secret sprawl is the uncontrolled spread of credentials across code, tickets, chat tools, documents, and cloud systems. It makes exposure harder to detect and revocation harder to execute because the same secret may exist in multiple places with unclear ownership and inconsistent controls.
• Overprivileged NHI: An overprivileged NHI has more access than its function requires. That excess access increases blast radius because a single exposed token or account can reach systems and data well beyond the original workload, making containment and forensic attribution much harder.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Delinea: Non-human identities are the silent majority. How can you manage and protect them? Read the original.