Why IGA falls short for NHI governance in cloud environments

At a glance

What this is: This is an independent analysis of why traditional IGA does not fully cover non-human identity governance, and the key finding is that NHIs require separate lifecycle, discovery, and control patterns.

Why it matters: IAM teams need to treat NHI governance as a distinct operating model because machine identities create visibility, ownership, and rotation problems that human-centric IGA workflows do not resolve.

By the numbers:

• Non-human identities now outnumber human users by at least 20 to 1.

👉 Read Oasis Security's analysis of why IGA falls short for NHI governance

Context

Non-human identity governance is the discipline of controlling service accounts, API keys, tokens, bots, and certificates across their lifecycle. The problem is that most IGA programmes were built around employee provisioning, approvals, and access reviews, so they do not fully address machine-to-machine authentication or dynamic ownership gaps.

As cloud, SaaS, and API-driven architectures expand, the security perimeter has moved from users to the identities that control resources. That shift makes NHI visibility, rotation, decommissioning, and dependency mapping operational requirements, not optional hardening, and it is why the Ultimate Guide to NHIs remains the clearest baseline reference for machine identity governance.

Key questions

Q: How should organisations govern non-human identities alongside IGA?

A: Use IGA for people and add an NHI-specific control plane for service accounts, API keys, tokens, and certificates. The two layers solve different problems. IGA handles human lifecycle workflows, while NHI governance handles discovery, ownership, rotation, expiry, and decommissioning for machine identities.

Q: Why do service accounts create governance gaps that IGA does not close?

A: Service accounts are often created outside HR-driven workflows, lack clear ownership, and can remain active long after their original use. IGA may record them, but it rarely models their real dependencies or lifecycle state well enough to retire them safely. That leaves hidden access paths in place.

Q: How do teams know if NHI governance is actually working?

A: Look for complete inventory coverage, clear ownership, enforced rotation, and reliable decommissioning. If new credentials appear faster than they are classified, or if stale secrets stay valid after workload changes, the programme is not governing machine identities effectively.

Q: What is the difference between IGA and NHIM for identity teams?

A: IGA governs human access through provisioning, approvals, certification, and compliance reporting. NHIM governs machine identities that authenticate systems, services, and automation. The distinction matters because machine access is created, rotated, and retired through different operational patterns than employee access.

Technical breakdown

Why human-centric IGA workflows miss machine identity lifecycles

Identity Governance and Administration is optimised for people: joiner-mover-leaver events, access requests, role assignment, and periodic certification. Non-human identities behave differently because they are often created by systems and developers on demand, outside central oversight, and they can persist long after the original workload changes. That creates a structural governance gap. The control problem is not simply missing visibility, but the mismatch between human workflow design and machine identity reality. When a service account or API key has no durable owner, no reliable business context, and no clean offboarding event, the IGA model cannot fully certify or retire it.

Practical implication: map which identities are being governed by IGA workflows and which require dedicated NHI lifecycle controls.

How rotation, expiration, and decommissioning change the risk model

NHIs depend on credentials that can be rotated, expired, or left stale. In practice, the security outcome is driven by whether those credentials are actively managed through their whole lifetime, not whether they were issued correctly at the start. A token that remains valid after its purpose ends expands the attack surface, while an unrotated certificate creates a standing trust relationship that attackers can exploit. This is why NHI governance must include continuous discovery and retirement logic, not just provisioning. Without that, the inventory itself becomes incomplete and the control model drifts away from reality.

Practical implication: inventory expiry dates, rotation dates, and decommission status alongside access entitlements, not separately.

Why identity segmentation matters when machine access is interconnected

Machine identities rarely operate in isolation. A single service account can connect cloud services, CI/CD systems, storage, and SaaS APIs, creating dependency chains that magnify the effect of compromise. Identity segmentation reduces that blast radius by separating credentials by function, environment, and risk level so that one exposed secret does not become a broad access path. In NHI governance, segmentation is not only about least privilege. It is also about understanding which systems depend on which identities, because dependency mapping is what lets teams see where hidden operational coupling exists.

Practical implication: segment NHIs by workload and environment, then document their dependencies before reviewing privilege scope.

Breaches seen in the wild

• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

IGA is necessary, but it is not a complete machine identity control plane. The article’s core argument is that IGA excels at human identity governance while NHIM addresses service accounts, API keys, tokens, and certificates. That is the right split of responsibility, because machine identities are created, used, and retired in ways that human-centred lifecycle tools were never designed to model. Practitioners should treat the two as complementary, not interchangeable.

Non-human identity sprawl is now a governance problem, not just an inventory problem. When NHIs outnumber human identities by 20 to 1 or more, visibility gaps become operational risk because ownership, usage, and lifecycle state are often distributed across platforms. The issue is not merely that there are many credentials. It is that the enterprise no longer has a single lifecycle system of record for them. Teams should reframe NHI management as a control architecture challenge.

Identity segmentation is the named concept that separates survivable machine compromise from enterprise-wide exposure. A service account that can move across environments or call multiple systems turns one credential into many potential failure paths. Segmentation by function, environment, and risk level changes the blast radius of compromise and gives governance teams a defensible boundary to review. Practitioners should use segmentation as the organising principle for NHI policy design.

Visibility without offboarding discipline still leaves machine identities exposed. The article correctly links discovery to continuous monitoring, but discovery alone does not solve stale credential risk. What fails in many programmes is the assumption that finding an NHI means it is already governed. It is not. The control question is whether the organisation can remove dormant identities and revoke trust when systems, vendors, or workloads change.

Cross-domain identity governance is where NHIM proves its value. The strongest case for NHIM is not a feature comparison with IGA. It is the need to connect human processes, machine access, and cloud operating models into one defensible governance picture. That is exactly where identity programmes become brittle if they rely on a human-only lifecycle model. Practitioners should build policies that reflect the identity type, not the tool category.

From our research:

• Non-human identities now outnumber human users by at least 20 to 1, according to the Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which is why incomplete inventories remain a governance issue rather than a tooling issue.
• For the broader lifecycle context, 52 NHI Breaches Analysis shows how lifecycle gaps turn into repeatable incident patterns.

What this signals

Identity governance programmes that still treat machine access as an IGA side task will continue to miss the control boundary that matters most. As cloud estates expand, the practical issue is not whether a tool can list credentials. It is whether the organisation can prove ownership, lifecycle state, and dependency scope for every non-human identity across environments. Teams should expect NHI governance to become a formal control domain, not a bolt-on report.

Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs, which means most programmes are managing machine access with partial evidence. That level of blind spot weakens access review accuracy, makes offboarding incomplete, and leaves dormant identities in circulation. The right response is to integrate identity, vault, and logging data into one operating picture rather than chase one-off clean-up projects.

For practitioners

• Separate human and machine governance paths Document which access workflows are managed through IGA and which must be governed through NHI-specific discovery, rotation, and retirement processes. Use this boundary to stop service accounts from being reviewed as if they were employee accounts.
• Build a complete NHI inventory from source systems Connect identity providers, secret stores, logging platforms, and cloud services so that service accounts, API keys, tokens, and certificates are discovered where they actually live. Reconcile ownership and usage continuously rather than relying on periodic spreadsheets.
• Apply lifecycle controls to stale machine credentials Track creation, use, rotation, expiry, and decommission status for every non-human identity. Prioritise credentials that remain valid after workloads change, because those are the ones that most often create hidden exposure.
• Segment identities by workload and environment Separate credentials by function, deployment zone, and risk tier so that one compromised secret cannot traverse unrelated systems. Pair that segmentation with dependency mapping to show where a single identity still spans too many services.

Key takeaways

• IGA is built for human identities, so it does not fully solve the lifecycle, ownership, and rotation problems created by NHIs.
• NHI sprawl turns visibility gaps into exposure, especially when service accounts and credentials outlive the workloads that created them.
• The practical control response is to separate human and machine governance, then enforce discovery, segmentation, rotation, and decommissioning for non-human identities.

Key terms

• Non-Human Identity Management: The governance discipline for machine identities such as service accounts, API keys, tokens, bots, and certificates. It covers discovery, ownership, access scope, rotation, expiry, and decommissioning. In practice, it exists because machine access follows different lifecycle patterns than human access and cannot be fully managed through employee-centric workflows alone.
• Identity Segmentation: The practice of separating identities by workload, environment, and risk so one credential cannot easily move across unrelated systems. For machine identities, segmentation is a blast-radius control as much as a least-privilege measure, because shared dependencies can turn a single compromise into a wider operational event.
• Lifecycle Governance: The set of controls that manage identities from creation through use, review, rotation, and retirement. For NHIs, lifecycle governance must account for system-generated credentials, hidden dependencies, and stale access that can persist after a workload changes. Without it, inventory and policy quickly drift apart from operational reality.
• Machine Identity: A non-human identity used by software, services, or infrastructure to authenticate and authorize access to other systems. It may take the form of a service account, token, key, or certificate. The key governance challenge is that machine identities often lack the clear business ownership and review cadence expected in human IAM.

Deepen your knowledge

NHI lifecycle governance and machine identity segmentation are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are extending identity governance beyond human access, it is worth exploring.

This post draws on content published by Oasis Security: Why do I need NHIM if I already have a great IGA tool? Read the original.