Saviynt’s identity platform widens NHI and AI agent governance

At a glance

What this is: Saviynt positions its platform around governing human and non-human access, with AI agents and NHIs treated as part of the same identity control surface.

Why it matters: That matters because IAM teams now have to align entitlement, lifecycle, and privileged access controls across service accounts, workloads, and emerging agentic systems rather than manage them in separate silos.

By the numbers:

• Over 100 million identities protected, and counting!
• NHIs outnumber human identities by 25x to 50x in modern enterprises.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.

👉 Read Saviynt's newsroom update on NHI and AI agent identity governance

Context

Saviynt's newsroom framing makes one thing clear: the control problem is no longer limited to workforce identities. The platform message spans human access, non-human access, just-in-time access, identity security posture management, and AI agents, which is a signal that identity programmes are being asked to govern more runtime identities, more privilege paths, and more lifecycle states at once.

For IAM and security teams, that broadening matters because NHI governance is no longer a separate niche concern. Service accounts, tokens, workload access, and AI agent identities now sit inside the same policy, approval, and review workflows that traditionally focused on human users, which raises the bar for visibility, entitlement design, and offboarding discipline.

Key questions

Q: How should security teams govern non-human identities and AI agents in the same programme?

A: Start by treating both as governed identity subjects, but do not assume they need identical controls. Non-human identities need visibility, ownership, rotation, and offboarding. AI agents add runtime decision and tool-use boundaries, so policy must also address delegated actions, approval gates, and revocation of active authority.

Q: Why do service accounts and AI agents create different identity risks?

A: Service accounts are usually non-autonomous and therefore governed through credential scope, privilege, and lifecycle. AI agents can introduce runtime decision-making, which means risk extends beyond the credential itself to the actions the actor can choose to take. That changes how policy, monitoring, and accountability must be designed.

Q: What do security teams get wrong about just-in-time access for machine identities?

A: They often assume JIT alone eliminates risk, when the real issue is whether the underlying identity can still retain broad authority elsewhere. If the workload has lingering tokens, overlapping permissions, or weak revocation, JIT becomes a surface control rather than a governance control.

Q: How do you know if NHI governance is actually working?

A: Look for fewer standing credentials, shorter credential lifetimes, clear ownership, and measurable reductions in secrets stored outside managed systems. If review results do not lead to faster revocation, cleaner offboarding, or narrower privilege, the programme is producing paperwork rather than control.

Technical breakdown

Why identity security posture management is becoming the control layer for NHIs

Identity security posture management, or ISPM, is the attempt to continuously discover, assess, and correct identity risk rather than rely on periodic review alone. For NHIs, that matters because the risky state is often hidden in code, CI/CD, cloud bindings, and third-party integrations. The technical issue is not only whether a credential exists, but whether it has excessive privilege, lacks rotation, or remains reachable in places security teams do not inspect often enough. In practice, ISPM becomes the inventory and policy engine that reveals where the identity model has drifted away from intended governance.

Practical implication: teams need continuous identity visibility tied to entitlement and secret hygiene, not one-off audit snapshots.

How just-in-time access changes the trust model for machine identities

Just-in-time access reduces standing privilege by issuing access only when a task or approval requires it, then removing it when the task ends. For machine identities, the control is useful but only if the underlying workload or agent has a clear ownership model, short-lived credentials, and a reliable way to revoke access after use. Without that, JIT becomes a cosmetic wrapper around persistent trust. The architecture works best when access is scoped to a specific action path, not to a broad role that outlives the work itself.

Practical implication: pair JIT with tight credential TTLs and explicit revocation so ephemeral access stays truly ephemeral.

What AI agent governance adds to traditional NHI controls

AI agent governance changes the problem because the identity may choose actions and tool calls at runtime, which is different from a static workload credential. That means the security model has to consider delegation, tool authorization, and execution boundaries in the same control plane as identity. When agents can move between data sources or invoke tools dynamically, the identity issue is no longer just possession of a secret. It becomes a question of which runtime actions the identity can originate, under what conditions, and with what review trail.

Practical implication: design policy around runtime authority boundaries, not around static account provisioning alone.

NHI Mgmt Group analysis

Identity governance is being pulled from a human-centric model into a mixed runtime model. Saviynt's positioning shows how quickly NHI, workload, and AI agent access are converging inside the same governance stack. That convergence matters because approval, entitlement, and review processes were built around slower identity lifecycles than modern machine access patterns. Practitioners should treat this as a governance architecture shift, not a product feature list.

Secret sprawl remains the structural weakness beneath every identity programme. The largest control failure in machine identity security is still that secrets, tokens, and credentials are often stored in places where governance tools have poor reach. Once that pattern exists, posture management and access control are working against a fragmented trust base. The implication is that visibility into where credentials live is now a prerequisite for any serious identity security programme.

AI agent access will force IAM teams to separate delegation from authorisation. A workload account can be governed as a non-autonomous identity, but an AI agent that chooses actions at runtime introduces a different decision layer. That means identity policy must distinguish who owns the credential from what the actor is allowed to initiate. Practitioners should expect existing IAM models to become insufficient wherever runtime tool use is not pre-scripted.

Zero standing privilege is becoming the more realistic baseline for high-risk machine access. As identity estates grow and non-human identities outnumber humans by orders of magnitude, standing access becomes harder to justify and harder to review. The governance gap is not simply too much access, but too much persistent access that nobody can credibly certify at scale. Teams should treat ZSP as a design target for sensitive machine pathways, not a special-case enhancement.

Identity programmes that still separate human IAM from NHI governance are now carrying hidden risk. The platform direction reflected in Saviynt's messaging is toward unified governance across people, workloads, and agents. That does not mean every control is identical, but it does mean lifecycle and privilege logic can no longer be treated as distinct disciplines. Practitioners should reorganise ownership and reporting so machine identity risk is visible in the same programme view as human access.

From our research:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
• For the control framework behind this shift, see NHI Lifecycle Management Guide for the lifecycle processes that turn identity governance into operational practice.

What this signals

Secret sprawl is now the first-order governance problem for machine identity programmes. When credentials live in code, CI/CD, and configuration instead of managed controls, every downstream policy becomes weaker than it looks. That is why teams should prioritise discovery and offboarding discipline before they expand policy complexity or add more review layers.

AI agent identity will force programme owners to revisit their current authorisation boundaries. The more runtime decisions an actor can make, the less useful static role assignment becomes as a complete security model. Teams should align their policy design with runtime authority, then map that model to OWASP Non-Human Identity Top 10 and NIST Cybersecurity Framework 2.0 functions.

NHIs outnumber human identities by 25x to 50x in modern enterprises. That scale means manual governance alone will not produce durable control, even when the process looks mature on paper. The practical response is to automate inventory, privilege reduction, and revocation so the programme keeps pace with its own identity estate.

For practitioners

• Map all non-human access paths to a named owner Assign accountable owners to service accounts, API tokens, workload credentials, and AI agent access so every identity has a clear lifecycle and review path. Use ownership records to drive recertification and offboarding, especially where third parties or development teams created the access.
• Inventory secret locations outside managed vaults Search code repositories, configuration files, CI/CD systems, and embedded application settings for long-lived credentials that sit outside secrets managers. Prioritise removal or replacement of exposed credentials before attempting broader policy redesign.
• Reduce standing privilege for machine identities Replace persistent high-privilege access with just-in-time or task-scoped access wherever the workload supports it. Tie each entitlement to a narrow purpose, short duration, and explicit revocation step so permissions do not survive the work they were created for.
• Separate human review cadence from machine access reality Do not rely on access review calendars designed for people to govern credentials that can be created, used, and discarded at runtime. Build automated detection and revocation workflows for machine identities because manual certification alone will not keep pace.

Key takeaways

• Saviynt's positioning shows that identity governance is expanding from workforce access into a shared control model for NHIs, workloads, and AI agents.
• The largest practical risk remains secret sprawl, because credentials stored outside managed systems undermine every downstream access decision.
• Teams should move toward ownership, short-lived privilege, and automated revocation if they want machine identity governance to operate at enterprise scale.

Key terms

• Non-Human Identity: A non-human identity is any digital identity used by software rather than a person, including service accounts, API keys, tokens, certificates, workloads, and agents. In governance terms, it must be owned, scoped, reviewed, rotated, and retired like any other privileged identity.
• Identity Security Posture Management: Identity Security Posture Management is the continuous discovery and assessment of identity risk across accounts, entitlements, credentials, and privilege paths. For NHIs, it is the control layer that exposes hidden secrets, overprivilege, and lifecycle drift before they become breach conditions.
• Just-in-Time Access: Just-in-Time Access is a pattern that grants privilege only when a task requires it and removes it soon after. For non-human and autonomous identities, the control only works when the credential lifetime, scope, and revocation path are tightly enforced and independently observable.
• Zero Standing Privilege: Zero Standing Privilege is a governance model in which no identity retains permanent elevated access. Instead, privilege is issued on demand, constrained to the task, and removed when the work ends, which reduces the attack surface created by persistent machine and human credentials.

What's in the full article

Saviynt's full newsroom post covers the operational detail this post intentionally leaves for the source:

• Platform framing across identity security posture management, just-in-time access, and machine identity governance
• Product and solution areas named in the newsroom, including NHI, MCP, and ISPM for AI agents
• The company's own scope across applications, data, and business processes for human and non-human access
• Brand and market context around how Saviynt positions its identity platform and customer base

👉 Saviynt's full newsroom post covers the platform scope and product areas named in the announcement.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.