Shadow AI and NHIs are forcing identity governance to change

At a glance

What this is: This is Zluri’s take on Identiverse 2025, centred on shadow AI, machine identities, and the move from visibility to real-time identity action.

Why it matters: It matters because IAM teams now have to govern service accounts, AI tools, and human access as one operating surface, not separate queues.

By the numbers:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• Only 5.7% of organisations have full visibility into their service accounts.

👉 Read Zluri's analysis of Identiverse 2025 identity intelligence themes

Context

Shadow AI and machine identities are no longer edge cases in identity programmes. They now sit in the same control plane as human access, but traditional IAM processes were built around managers, tickets, and review cycles that do not map cleanly to service accounts or AI-driven access paths.

The primary issue is not discovery alone. It is the gap between seeing an identity relationship and acting on it quickly enough to reduce exposure, especially when access changes faster than governance workflows can certify or revoke it.

Key questions

Q: How should security teams govern shadow AI that connects to corporate systems?

A: Security teams should treat shadow AI as an identity governance problem, not just an application discovery problem. If an AI tool authenticates to SaaS apps or internal systems, it needs ownership, lifecycle tracking, and revocation paths. The goal is to map the access relationship, assign accountability, and remove unmanaged permissions before they become persistent.

Q: Why do machine identities force IAM teams to change review processes?

A: Machine identities change the pace of governance because they can be created, used, and abandoned faster than periodic access reviews can respond. IAM teams need live entitlement signals, not only certifications, because service accounts and AI-connected access can outlive the business event that created them. That makes continuous control more useful than retrospective approval.

Q: What do organisations get wrong about visibility in identity governance?

A: They often assume that seeing an identity relationship is the same as controlling it. Visibility is only useful when it leads to a decision, such as revoking access, tightening policy, or assigning ownership. Without that action layer, dashboards simply document exposure after the fact.

Q: How can identity teams keep pace with access changes in modern environments?

A: Identity teams should connect policy enforcement to live events such as role changes, new integrations, and unexpected privilege grants. That approach reduces the delay between detection and remediation, which is where many governance failures occur. It also works better for NHIs and AI-connected access than quarterly review cycles do.

Technical breakdown

Why identity intelligence matters when identity surfaces keep changing

Identity intelligence combines discovery, context, and action. In practice, that means an identity platform has to recognise who or what is connected, understand whether the access is expected, and trigger a response before the risk persists. For NHIs, that includes service accounts, API keys, tokens, and delegated SaaS access. For human IAM, it means the same control model must also account for role drift and orphaned privileges. The technical shift is from periodic review to event-driven governance, where policy decisions are tied to live identity signals rather than static exports.

Practical implication: move from spreadsheet-driven reviews to event-triggered governance for human and machine identities.

How shadow AI creates ungoverned identity relationships

Shadow AI appears when employees connect AI tools directly to corporate systems without central approval or visibility. The identity risk is not the AI label itself, but the untracked authentication path it creates. Once a tool can reach SaaS apps, data stores, or workflows, it may hold credentials, tokens, or delegated permissions that sit outside normal onboarding and offboarding. That breaks the assumptions behind access reviews, because the business now has active machine access that no one formally owns. Discovery tools help, but only if they can classify the relationship and map it to policy in real time.

Practical implication: classify unmanaged AI connections as identity assets and bring them into lifecycle control immediately.

Real-time policy enforcement versus delayed access review

Traditional access governance depends on human-paced review cycles, but that model is too slow for environments where entitlements change continuously. Real-time policy enforcement works by correlating signals such as role change, app connection, privilege escalation, or unexpected write access, then applying controls the moment a rule is violated. This is especially relevant for NHI and automated workflows, where access can be created, used, and forgotten before a quarterly certification even starts. The mechanism is less about dashboards and more about closing the loop between detection and remediation inside the same control workflow.

Practical implication: define policy triggers that can revoke or restrict access as soon as risky conditions appear.

NHI Mgmt Group analysis

Identity intelligence is becoming the operating model because visibility alone does not change risk. The article reflects a real shift in the field: CISOs no longer want another inventory, they want systems that translate identity context into enforcement. That is a governance change, not just a tooling preference. Practitioners should treat identity intelligence as the bridge between discovery and control.

Shadow AI expands the non-human identity problem into places legacy IAM does not monitor well. When employees connect AI tools directly to corporate systems, the organisation inherits new identity relationships without the usual approval, ownership, or offboarding discipline. That is why the issue is broader than application sprawl. Practitioners should expect identity governance to cover AI-connected access paths the same way it covers service accounts and third-party integrations.

Traditional identity frameworks were designed for human-paced review, not machine-paced access creation. Service accounts and AI agents can outnumber human users while changing faster than certification cadences can keep up. That means the control model is misaligned with the actor type. Practitioners should rethink governance around live entitlement state, not just periodic attestations.

Named concept: identity action gap. The article captures the gap between discovering an identity relationship and actually remediating it before exposure persists. That gap is now one of the most important failure modes in modern IAM because it turns visibility into a passive metric instead of an operational control. Practitioners should measure how fast identity signals become enforced decisions.

Machine identities are no longer a side programme, they are part of enterprise identity architecture. The presence of a dedicated NHI Pavilion at Identiverse reflects category maturity, but also category pressure. Service accounts, API keys, and AI agents now sit inside the same governance perimeter as human access. Practitioners should align IAM, IGA, PAM, and NHI governance around one shared operating model.

From our research:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• For lifecycle and offboarding detail, see NHI Lifecycle Management Guide for the provisioning, rotation, and revocation discipline that closes exposure windows.

What this signals

Identity action gap: programmes that can discover shadow AI but cannot remediat e it in the same workflow will keep producing backlog, not risk reduction. The practical test is whether a new identity relationship can be classified, owned, and constrained before the next business process touches it.

Identity teams should expect machine identities to keep expanding faster than manual governance cadences. With NHIs outnumbering human identities by 25x to 50x, the operating assumption has to change from periodic review to continuous lifecycle control.

The next maturity step is to connect discovery, policy, and offboarding across human access, service accounts, and AI-connected access paths. That is where frameworks such as the NIST Cybersecurity Framework 2.0 and OWASP Non-Human Identity Top 10 become operational rather than theoretical.

For practitioners

• Build one inventory for human and machine identities Unify discovery across SaaS apps, cloud platforms, service accounts, API keys, and AI-connected tools so governance teams can see the full identity surface in one place.
• Classify shadow AI as an identity governance issue Treat unsanctioned AI tools as active identity relationships when they authenticate to corporate systems, because the risk sits in delegated access and offboarding gaps, not in the model alone.
• Trigger policy from live identity context Use role changes, new write permissions, and unexpected app connections as control triggers so risky access is restricted before the next review cycle.
• Extend lifecycle controls to NHIs and AI connections Apply onboarding, ownership, review, and revocation steps to service accounts and AI-linked access paths so machine identities do not remain outside normal governance.

Key takeaways

• Identity governance is shifting from inventory to action, because visibility without enforcement leaves access risk untouched.
• Shadow AI extends the NHI problem into unmanaged access paths that traditional IAM review cycles do not catch quickly enough.
• Practitioners should align lifecycle controls, policy triggers, and ownership across human, machine, and AI-connected identities.

Key terms

• Identity Intelligence: Identity intelligence is the practice of turning identity data into enforceable decisions rather than static reports. It combines discovery, context, policy, and remediation so teams can respond to access risk in near real time across human users, machine identities, and AI-connected access paths.
• Shadow AI: Shadow AI is the use of AI tools or services that connect to corporate systems without central visibility or approval. In identity terms, it creates unmanaged authentication and delegation paths that can hold credentials, tokens, or permissions outside normal lifecycle control.
• Machine Identity: A machine identity is a non-human credential or account used by software, services, or automation to authenticate and authorise actions. It includes service accounts, API keys, tokens, and certificates, all of which require ownership, lifecycle management, and review.
• Identity Action Gap: The identity action gap is the delay between discovering an access issue and enforcing a control that reduces exposure. It matters because visibility alone does not lower risk unless the organisation can revoke, restrict, or reclassify the identity relationship quickly enough.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: Zluri features learnings from Identiverse 2025 on shadow AI, NHIs, and smarter access. Read the original.