IDAC Podcast – Mr. NHI, Lalit Choda, on Securing the Exploding World of NHI

Join Jim McDonald and Jeff Steadman on the Identity at the Center podcast as they welcome Lalit Choda, founder and CEO of the Non-Human Identity Management Group.

Lalit, also known as “Mr. NHI,” shares his journey from investment banking to becoming a leading expert in non-human identities.

This episode delves into the critical and often overlooked world of NHI, exploring why it’s such a hot topic now, the challenges practitioners face in managing these identities, and how to approach the problem from a risk-based perspective.

Lalit discusses the limitations of traditional PAM and IGA tools for NHI, the importance of foundational controls, and the alarming implications of AI on non-human identity management.

Plus, hear a fun segment about vinyl records and some surprising finds!

Chapter Timestamps:

00:00:00 – Introduction to Lalit Choda and the NHI Community

00:02:31 – Welcome to the Identity at the Center Podcast & IdentiVerse Discussion

00:06:18 – Lalit Choda’s Identity Origin Story: From Mr. SOX to Mr. NHI

00:12:03 – Why Non-Human Identities Are a Big Deal Right Now

00:15:37 – Defining NHI and the Practitioner’s Framework

00:19:13 – The Scale and Challenges of NHI Management

00:23:01 – New Types of NHI and Tooling Limitations

00:27:12 – The Lack of a Single Source of Truth for NHI

00:33:57 – Prioritizing NHI Management and the Role of PAM

00:38:58 – A Risk-Based Approach to NHI and Foundational Controls

00:48:15 – What Scares Lalit Most About NHI (and AI)

00:50:54 – Lalit’s Impressive Vinyl Collection

00:56:38 – Jim and Jeff’s First, Best, and Favorite Albums

01:01:15 – The Intersection of Music and Non-Human Identities

01:02:00 – Wrapping Up & Where to Find More Information

Connect with Lalit:   / lalit-choda-5b924120  

Non-Human Identity Management Group: https://www.nhimg.org/

Connect with us on LinkedIn:

Jim McDonald: jimmcdonaldpmp

Jeff Steadman: jeffsteadman

Visit the show on the web at http://idacpodcast.com

A Practitioners Guide To Managing Non-Human Identity (NHI) Risks

Lalit Choda (Mr. NHI) founder of the NHI Mgmt Group, gives a talk on “A Practitioners Guide to Managing Non-Human Identity Risks” at Identiverse, Mandalay Bay, Las Vegas June 5th.

Lalit shares details of an event where an NHI was inappropriately used causing operational impact, it then took 3 weeks to cycle one password – this event was the trigger for starting a huge NHI program.

Lalit then shares his experience running one of the largest regulatory NHI programs in the financial industry, dealing with over 100,000 NHIs and developing from the ground up, end-to-end NHI lifecycle processes including Inventory, Claiming, Scanning, Classification, Hygiene, Securing NHIs, Monitoring Controls and Prevent Controls.

NHI Workshop at Identiverse

Our NHI Mgmt Group hosted the biggest ever Non-Human Identity Workshop at Identiverse, Mandalay Bay, Las Vegas on Tuesday 3rd June 2025. The half day workshop had close to 250 participants and an amazing 24 guest speakers covering 7 great topics.

---

---

---

---

---

---

---

---

---

---

Webinar – Non-Human Identities & Agentic AI Intersection

Our founder Lalit Choda is interviewed by Confidence Staveley on NHIs and Agentic AI, as part of the launch of her amazing new publication AI Cyber Magazine, where our article Mitigating NHI Threats in the age of GenAI was also published.

In this conversation, we discussed the critical importance of understanding and managing Non-Human identities (NHIs) in today’s digital landscape.

We also talked about the challenges organizations face in controlling NHIs, the risks associated with them, and how the rise of AI is making things worse.

NHI Global Summit – Opening Remarks By Lalit Choda

It was a huge honour and privilege to share opening remarks, to kick-off the historic, first of it’s kind NHI Global Summit at the iconic Nasdaq Marketsite venue, in Times Square, NY on Feb 27th 2025.

After introducing #MrNHI and our NHI Mgmt Group and welcoming everyone to the event, I shared insights on what to expect during the day and explained why this is the hardest risk you will probably tackle in your career, given the very weak controls around NHIs and that it impacts all your IT processes and teams.

I cover “Why Now“, due to Hyper Fragmentation, with Multi-Cloud, On-Prem, SaaS, Microservices, Containerisation, GenAI we have a huge Secrets Sprawl problem, NHIs are easy to discover, Breaches occurring on a regular basis. I also share that this is not just a external Cyber threat, but a huge Internal threat also.

Finally I ask the audience 3 questions :
– how many are very concerned about NHI risks?
– how many know how to fully address NHI risks?
– how many are actively pursuing a NHI program currently?

After opening remarks, I then go onto host a panel discussion
– “NHI Stats That Will Blow Your Human Mind”

Hope you enjoy the opening remarks from what was truly a game changing and historic event for the NHI industry, with hundreds of attendees, amazing agenda and great guest speakers – the feedback so far from the event has been overwhelming.

Together let’s help organisations tackle probably the hardest IT & Identity challenge in the industry.

Webinar – Navigating The Modern Non-Human Identity Security Landscape

In this episode of Access Granted, we dive deep into one of the most urgent cybersecurity challenges today: Non-Human Identities (NHIs). As automation, AI, and cloud services expand, NHIs — like API keys, service accounts, and machine credentials — are growing at an alarming rate. Yet, many organizations fail to track, secure, or even acknowledge their existence, despite their potential impact on identity security.

Two identity security leaders, Lalit Choda, CEO and Founder of the NHI Mgmt Group, and Art Poghosyan, CEO and Co-Founder of Britive, share their insight and expertise on:

✅ The explosion of NHIs & why they’ve grown to outnumber human identities in the cloud

✅ How NHIs are exploited in breaches, drawing from big examples

✅ Why static credentials are a ticking time bomb & how to eliminate them

✅ Best practices for securing NHIs using Zero Standing Privileges (ZSP) as a guiding principle of identity management

Webinar – Securing Non-Human Identities In The Cloud

In today’s multi-cloud and hybrid infrastructures, NHIs outnumber human identities 25x–50x in modern cloud environments, and without proper oversight, they become a prime attack vector for breaches.

This session moves beyond theory, providing a step-by-step roadmap to securing NHIs across cloud and hybrid environments.

Hear from:

• Lalit Choda: Founder of the Non-Human Identity Management Group
• John Gonsalves: Former leader at Citi Bank and JPMorgan Chase, Cloud PAM Advisor
• Art Poghosyan: CEO & Co-Founder of Britive

What We’ll Cover :

Step 1: Define Your Strategic End State

Security must align with business priorities. Before implementing controls, organizations must establish what they’re solving for and where they need to be.

• How NHI security reduces risk, cost, and operational inefficiencies.
• Compliance mandates (SOC2, NYDFS, PCI-DSS) and business alignment.
• Balancing security with DevOps, automation, and cloud agility.

Step 2: Inventory Credentials & Eliminate Hidden Risks

You cannot secure what you can’t see. Before enforcing least privilege, organizations must first gain visibility into their NHIs.

• Identifying all NHIs (API keys, service accounts, automation tools).
• Classifying NHIs based on access level, criticality, and risk.
• Addressing orphaned or stale NHIs that pose immediate risks.

Step 3: Enforce Just-in-Time Access

Not all JIT solutions are equal. Removing standing privileges means more than temporary credentials—permissions must expire with them.

• How to transition NHIs from standing access to ephemeral, policy-driven permissions.
• Why cloud-native models (AWS AssumeRole, Azure Managed Identities) are key to securing NHIs.
• Lessons from real-world breaches—what went wrong, and what could have prevented them.

Step 4: Apply Least Privilege at Scale

NHIs are often over-permissioned due to default configurations and lack of governance.

• Applying granular, contextual policies based on workload needs.
• Ensuring NHIs get only the minimum necessary access, for the shortest duration.
• Automating access reviews, credential rotation, and enforcement.

Step 5: Future-Proof Your NHI Security Strategy

Security must scale with business growth. Organizations need a long-term plan for securing NHIs across automation, DevOps, and AI-driven workloads.

Ensuring continuous monitoring and policy enforcement without disrupting workflows.

Anticipating cloud expansion, M&A, and compliance shifts.

Choosing solutions that secure both human and non-human identities.

Webinar – Tackling The Non-Human Identity Crisis

As the landscape of Non-Human Identities (NHI) continues to expand, managing and securing these identities has become one of the most pressing challenges for organizations today. With automation and the increasing reliance on machine-to-machine communication, the stakes for securing these entities have never been higher. Did you know that over 80% of cloud breaches involve mismanaged or unauthorized machine identities?

Lalit Choda, founder of the Non-Human Identity Management Group, and Dwayne McDaniel, Senior Developer Advocate at GitGuardian, have an in-depth discussion on “Tackling the Non-Human Identity Crisis” packed with actionable insights, real-world examples, and strategies for staying ahead in an evolving threat landscape.

In this webinar, we explore why NHIs are at the heart of modern security strategies and how integrating secrets managers and advanced security tools can mitigate risks and enhance your overall security posture.

Key topics covered :

• Background to why we founded the Non-Human Identity Management Group
• What are NHIs and why are they harder to manage
• The top risks associated with NHIs
• Key lifecycle processes for managing NHIs
• Secrets Sprawl: Practical solutions for controlling secrets proliferation across your environments.
• NHI solutions, toolsets and the market
• GitGuardian’s approach to Secrets Security and NHI Governance

Webinar – The 2025 Cybersecurity Landscape

Takeaways from the discussion on NHIs with Lalit Choda and Heather Flanagan on Episode 78 of Identerati Office Hours

⚡Naming is unclear: the industry likes NHI–because it conveys the gravity and everyone sort of knows what you mean; but we also say “workload”, “software”, “ai agent”, and other terms.

⚡Size of the challenge is unclear: no one has done a census of workload identities. If each app on each device is unique, the numbers start to add up quickly. Even more identities act on behalf of an enterprise versus a person.

⚡ Like for humans, non-human identity requires proofing (“has the software been changed and should I trust it to interact?”), authentication (“is this the same piece of software I proofed”), authorization (“what is the privilege level of this authenticated entity”) and governance (“why does this NHI need this level of access”). There is little enterprise IT tooling to address these NHI challenges, but a number of cybersecurity startups and encumbents are coming to the rescue!

⚡ Assuming we properly proof and authenticate an NHI, it’s a real challenge for enterprises to understand what that NHI is entited to do, and WHY. Mike worries that there is a disconnect between what the company leadership expects and assumes about its cybersecurity posture, and the reality of the challenges faced by the IT team.

⚡ Standards are just evolving to address this challenge. OpenID Connect does a great job mapping person identity. OpenID is built on OAuth. But the OAuth WG can’t address all the issues raised by software identity. So other entire workgroups are forming at the IETF to address workload identity (WIMSE), provenance (SCITT)and even how identity systems themselves should interoperate (SPICE).

⚡ Yes, AI adds a new existential dimension to NHI management. How will enteprises and people set the boundaries in which the AIs acting on their behalf may transact? This will put stress on all the joints of the NHI ecosystem–proofing, authentication, authorization and goverance.

⚡ “Attestation” is the esoteric word of the year in 2024. “Attestations” enable a workload to assert what’s true about themselves: I’m this kind of workload, running on this hardware, presenting these JWTs that represent certain authorizations and information. And the attestation may also include a public key that allows me to authenticate if I return.

⚡ What is an identity? The derivation of the word is from the late “idem” meaning “same”. So it’s interesting that in the IT space, we use identity to mean uniqueness, when the rest of the world associates it with things that we share. And having an identifier does not mean you have an identity–my house has a unique address, but it doesn’t have agency. So an identity is something that has a unique identifier, that transacts?

View the full podcast here.

Podcast – Non-Human Identities – The Silent Risk In Cloud Security

Lalit Choda, founder of the Non-Human Identity Management Group, joins Nauman Mustafa for an episode of Access Granted by Britive, where they explore how and why Non-Human Identities have become a significant security risk and what organizations can do to address them.

Key discussion topics include:

• What’s considered an NHI? Examples include API keys, service accounts, automations, and more.
• How static credentials, secrets sprawl, and stale accounts create vulnerabilities and increase the attack surface. –
• Practical steps for organizations, including scanning repos for hard-coded credentials, cycling tokens, and creating a full NHI inventory.
• The importance of Zero Standing Privileges (ZSP) and just-in-time (JIT) access to securing NHIs without impeding developer agility.
• The intersection of AI, NHIs, and security – and balancing innovation with robust protection

🎧 Listen to Access Granted on Spotify: https://open.spotify.com/show/7ukJOqUhDmTRj2pm3ykibS