TL;DR: Machine identities, secrets, and AI agents are spreading across code, vaults, chat tools, and cloud services, with Entro claiming discovery across 1,200 NHI types and 70-plus sources, according to SailPoint’s acquisition of Entro. The control question is no longer visibility alone, but how far identity governance can reach into runtime access, ownership, and remediation before exposure becomes unmanageable.
At a glance
What this is: SailPoint’s acquisition of Entro is an identity-security consolidation play focused on NHI discovery, ownership mapping, lifecycle control, and runtime remediation.
Why it matters: It matters because IAM teams now have to govern machine and agent identities as a lifecycle problem, not just as scattered secrets and entitlements.
By the numbers:
- Entro discovers over 1,200 types of NHIs across 70+ critical cloud and developer infrastructure sources.
- 28% of secrets incidents now originate outside code repositories, in Slack, Jira, and Confluence, and are 13% more likely to be categorised as critical than code-based leaks.
👉 Read SailPoint’s analysis of the Entro acquisition and NHI governance impact
Context
SailPoint’s acquisition of Entro reflects a broader NHI governance problem: organisations can no longer assume that machine identities live only in code repositories or vaults. Secrets now appear in pipelines, collaboration tools, container registries, and cloud services, which means identity control has to follow the credential wherever it shows up.
For IAM and security teams, the issue is not discovery in isolation. The harder problem is tying tokens, keys, certificates, and AI agent activity back to an accountable owner, then governing their lifecycle, access scope, and revocation path across human, machine, and autonomous environments. That is where fragmented NHI programmes typically fail.
The primary keyword here is NHI governance, and this deal is best understood as a test of whether identity platforms can stretch from access review into runtime controls without losing operational clarity. The topic is not vendor scale for its own sake, but how far governance can reach once identities become distributed and machine-led.
Key questions
Q: What fails when leaked machine credentials are discovered but not owned?
A: Discovery without ownership leaves machine identities outside governance. Security teams may know a token or key exists, but they cannot recertify it, assign accountability, or retire it cleanly. That creates a blind spot where exposure is visible but action is stalled, which is how stale credentials remain usable long after they should have been revoked.
Q: Why do NHIs make access review harder than human identity review?
A: NHIs often exist in more places than a human account and can be created or copied without a clear lifecycle record. Access review becomes harder because reviewers need context about purpose, owner, privilege scope, and where the credential is embedded. Without that context, the review is administrative rather than governance-driven.
Q: What breaks when secrets are left outside the normal identity lifecycle?
A: When secrets are not tied to lifecycle processes, they outlive the workload, team, or application that created them. That breaks offboarding, rotation, and revocation, and it increases the chance that dormant credentials will be reused in later incidents. The result is persistent access that no one is formally responsible for.
Q: Who should own NHI revocation when exposure is detected?
A: The accountable system owner should own revocation, with identity and security teams enforcing policy and verifying completion. If ownership is unclear, revocation slows down and the credential remains available for reuse. Clear assignment is essential because machine identities do not self-retire when their business purpose ends.
How it works in practice
NHI discovery across code, vaults, and collaboration tools
NHI discovery is the process of finding non-human identities where they actually exist, not where teams expect them to exist. In modern environments that means scanning source code, CI/CD pipelines, vaults, container registries, chat tools, and SaaS audit logs for keys, tokens, certificates, and agent configuration artefacts. The architectural point is that secrets sprawl is now multi-surface, so single-source inventory models undercount real exposure. Discovery also needs classification, because a found credential is not yet governed until it is linked to usage, ownership, and lifecycle state.
Practical implication: build discovery coverage across code, collaboration, and cloud layers before attempting policy enforcement.
Human ownership and lineage for machine identities
Machine identities become governable when they are connected to a human owner, system owner, or service owner with clear accountability. Lineage mapping ties a secret, workload identity, or AI agent back to the person or team responsible for creation, use, approval, and retirement. Without that relationship, access reviews become a list of objects with no decision context. This is why ownership enrichment matters as much as raw discovery: it turns inventory into governance evidence and creates a path for recertification, offboarding, and incident response.
Practical implication: require every NHI to resolve to a named owner before it enters access review or offboarding workflows.
Runtime policy enforcement for tokens, keys, and AI agents
Runtime policy enforcement moves NHI security beyond periodic review and into action-level control. Instead of merely detecting that a credential exists, the control layer can block unauthorized tool calls, restrict privilege drift, and trigger revocation when behaviour deviates from policy. For AI agents, this matters because access can be exercised dynamically, not just used in a fixed workflow. For classic machine identities, it limits what an exposed credential can do after discovery. The important distinction is between knowing a secret exists and being able to constrain what it can do in session.
Practical implication: pair discovery with policy enforcement that can stop misuse before the credential completes its task.
NHI Mgmt Group analysis
NHI governance is shifting from inventory to control plane. Discovery alone no longer answers the operational question, because modern secrets move across code, collaboration, and cloud systems before teams can review them. The decisive change is that identity governance must now see, classify, and constrain machine credentials in the same motion. Practitioners should treat NHI discovery as the start of control, not the finish line.
Ownership is the difference between finding a secret and governing one. A token with no accountable owner cannot be recertified, offboarded, or investigated with confidence. Entro’s focus on lineage reflects a deeper field reality: NHIs fail governance when identity artefacts are technically visible but administratively orphaned. The implication is that lifecycle governance for machine identities must be built around accountability first, not inventory volume.
Runtime enforcement is becoming the real boundary of NHI security. Periodic review cannot keep pace with secrets that appear in pipelines, tickets, chat, and AI workflows. The field now needs controls that can reduce blast radius after discovery and stop misuse while a task is still in motion. That is where NHI governance is heading, and practitioners should re-evaluate whether their current programme can act before privilege is exercised, not only after it is reported.
Identity blast radius: The relevant governance problem is not how many secrets exist, but how much access each exposed credential can reach before it is contained. That concept applies equally to service accounts, API keys, certificates, and AI-agent credentials. Practitioners should measure their programme by how quickly blast radius shrinks after exposure, not by the size of the discovered inventory.
The agentic era makes NHI lifecycle controls non-optional. As AI agents and machine identities become more common, access review, offboarding, and revocation stop being administrative chores and become operational security controls. The acquisition reinforces a market direction in which governance platforms must understand both machine identity and the runtime behaviour attached to it. Practitioners should align lifecycle design to the identities that actually act in the environment.
From our research:
- 28% of secrets incidents now originate outside code repositories, in Slack, Jira, and Confluence, and are 13% more likely to be categorised as critical than code-based leaks, according to State of Secrets Sprawl 2026.
- In the same research, 64% of valid secrets leaked in 2022 are still valid and exploitable today, which shows why discovery without automated revocation leaves real exposure in place.
- For practitioners working through the operational side of this problem, Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs is the natural next reference point for ownership, rotation, and offboarding.
What this signals
Identity blast radius is the metric that will matter most as NHI inventories keep expanding. When secrets can be found in chat tools, CI/CD, and cloud systems, programme maturity depends on how fast exposure can be narrowed, not just how fast it can be detected.
With 28% of secrets incidents now originating outside code repositories, teams should stop treating source control as the centre of the problem and start treating collaboration systems and developer workflows as first-class identity surfaces.
The next governance step is to connect discovery, ownership, and enforcement into one operating model. That means aligning NHI controls with lifecycle management and using the OWASP Agentic AI Top 10 where AI agents can initiate actions at runtime.
For practitioners
- Expand discovery beyond repositories Scan code, vaults, chat platforms, CI/CD systems, and cloud audit logs for keys, tokens, certificates, and agent files so exposed credentials are not missed in non-code locations.
- Require ownership before recertification Map every discovered NHI to a human or service owner before it enters access review, because orphaned credentials cannot be offboarded or investigated cleanly.
- Combine discovery with runtime policy Enforce action-level controls that can block unauthorised tool calls, limit privilege drift, and trigger revocation when behaviour moves outside approved scope.
- Shorten the exposure-to-revocation path Prioritise workflows that move from detection to containment quickly, especially when leaked secrets can be acted on outside the codebase and outside business hours.
Key takeaways
- SailPoint’s acquisition of Entro spotlights the shift from discovering secrets to governing their lifecycle, ownership, and runtime use.
- The evidence points to a wider exposure surface, with NHI secrets increasingly appearing outside repositories and remaining exploitable long after discovery.
- Practitioners should judge NHI controls by how quickly they can constrain blast radius, not by how many credentials they can enumerate.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers secret discovery and lifecycle gaps that expose machine identities. |
| NIST CSF 2.0 | PR.AA-01 | Identity and access attributes need ownership and governance context. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Least privilege and continuous verification are central to runtime NHI control. |
Map discovered secrets to NHI-03 and enforce rotation and revocation once exposure is detected.
Key terms
- Non-human identity: A non-human identity is a digital identity used by software, workloads, devices, secrets, or AI agents to authenticate and act. It is governed through ownership, lifecycle control, and privilege scope, just like a human account, but it often appears across code, cloud, and collaboration systems.
- Identity blast radius: Identity blast radius is the amount of access, data, and downstream control that a single credential or identity can reach if it is exposed or misused. For NHIs, it is the most useful way to judge how dangerous a secret becomes once discovery has failed or been delayed.
- Lineage mapping: Lineage mapping links a machine identity back to the owner, system, or business process that created it and depends on it. This gives security and IAM teams the context needed for recertification, offboarding, and incident response instead of leaving credentials as anonymous objects.
- Runtime policy enforcement: Runtime policy enforcement is the ability to constrain or stop an identity while it is acting, rather than only reviewing it after the fact. In NHI governance, that means blocking unauthorized calls, limiting drift, and revoking access when behaviour moves outside approved intent.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by SailPoint: Adding a world-class striker to the SailPoint portfolio: How Entro is raising our game. Read the original.
Published by the NHIMG editorial team on 2026-06-29.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org