The Ultimate Guide to Non-Human Identities Report
Webinar – Non-Human Identities & Agentic AI Intersection

Our founder Lalit Choda is interviewed by Confidence Staveley on NHIs and Agentic AI, as part of the launch of her amazing new publication AI Cyber Magazine, where our article Mitigating NHI Threats in the age of GenAI was also published.

In this conversation, we discussed the critical importance of understanding and managing Non-Human identities (NHIs) in today’s digital landscape.

We also talked about the challenges organizations face in controlling NHIs, the risks associated with them, and how the rise of AI is making things worse.

NHI Global Summit – Opening Remarks By Lalit Choda

It was a huge honour and privilege to share opening remarks, to kick-off the historic, first of it’s kind NHI Global Summit at the iconic Nasdaq Marketsite venue, in Times Square, NY on Feb 27th 2025.

After introducing #MrNHI and our NHI Mgmt Group and welcoming everyone to the event, I shared insights on what to expect during the day and explained why this is the hardest risk you will probably tackle in your career, given the very weak controls around NHIs and that it impacts all your IT processes and teams.

I cover “Why Now“, due to Hyper Fragmentation, with Multi-Cloud, On-Prem, SaaS, Microservices, Containerisation, GenAI we have a huge Secrets Sprawl problem, NHIs are easy to discover, Breaches occurring on a regular basis. I also share that this is not just a external Cyber threat, but a huge Internal threat also.

Finally I ask the audience 3 questions :
– how many are very concerned about NHI risks?
– how many know how to fully address NHI risks?
– how many are actively pursuing a NHI program currently?

After opening remarks, I then go onto host a panel discussion
– “NHI Stats That Will Blow Your Human Mind”

Hope you enjoy the opening remarks from what was truly a game changing and historic event for the NHI industry, with hundreds of attendees, amazing agenda and great guest speakers – the feedback so far from the event has been overwhelming.

Together let’s help organisations tackle probably the hardest IT & Identity challenge in the industry.

Webinar – Navigating The Modern Non-Human Identity Security Landscape

In this episode of Access Granted, we dive deep into one of the most urgent cybersecurity challenges today: Non-Human Identities (NHIs). As automation, AI, and cloud services expand, NHIs — like API keys, service accounts, and machine credentials — are growing at an alarming rate. Yet, many organizations fail to track, secure, or even acknowledge their existence, despite their potential impact on identity security.

Two identity security leaders, Lalit Choda, CEO and Founder of the NHI Mgmt Group, and Art Poghosyan, CEO and Co-Founder of Britive, share their insight and expertise on:

✅ The explosion of NHIs & why they’ve grown to outnumber human identities in the cloud

✅ How NHIs are exploited in breaches, drawing from big examples

✅ Why static credentials are a ticking time bomb & how to eliminate them

✅ Best practices for securing NHIs using Zero Standing Privileges (ZSP) as a guiding principle of identity management

Webinar – Securing Non-Human Identities In The Cloud

In today’s multi-cloud and hybrid infrastructures, NHIs outnumber human identities 25x–50x in modern cloud environments, and without proper oversight, they become a prime attack vector for breaches.

This session moves beyond theory, providing a step-by-step roadmap to securing NHIs across cloud and hybrid environments.

Hear from:

  • Lalit Choda: Founder of the Non-Human Identity Management Group
  • John Gonsalves: Former leader at Citi Bank and JPMorgan Chase, Cloud PAM Advisor
  • Art Poghosyan: CEO & Co-Founder of Britive

What We’ll Cover :

Step 1: Define Your Strategic End State

Security must align with business priorities. Before implementing controls, organizations must establish what they’re solving for and where they need to be.

  • How NHI security reduces risk, cost, and operational inefficiencies.
  • Compliance mandates (SOC2, NYDFS, PCI-DSS) and business alignment.
  • Balancing security with DevOps, automation, and cloud agility.

Step 2: Inventory Credentials & Eliminate Hidden Risks

You cannot secure what you can’t see. Before enforcing least privilege, organizations must first gain visibility into their NHIs.

  • Identifying all NHIs (API keys, service accounts, automation tools).
  • Classifying NHIs based on access level, criticality, and risk.
  • Addressing orphaned or stale NHIs that pose immediate risks.

Step 3: Enforce Just-in-Time Access

Not all JIT solutions are equal. Removing standing privileges means more than temporary credentials—permissions must expire with them.

  • How to transition NHIs from standing access to ephemeral, policy-driven permissions.
  • Why cloud-native models (AWS AssumeRole, Azure Managed Identities) are key to securing NHIs.
  • Lessons from real-world breaches—what went wrong, and what could have prevented them.

Step 4: Apply Least Privilege at Scale

NHIs are often over-permissioned due to default configurations and lack of governance.

  • Applying granular, contextual policies based on workload needs.
  • Ensuring NHIs get only the minimum necessary access, for the shortest duration.
  • Automating access reviews, credential rotation, and enforcement.

Step 5: Future-Proof Your NHI Security Strategy

Security must scale with business growth. Organizations need a long-term plan for securing NHIs across automation, DevOps, and AI-driven workloads.

Ensuring continuous monitoring and policy enforcement without disrupting workflows.

Anticipating cloud expansion, M&A, and compliance shifts.

Choosing solutions that secure both human and non-human identities.

Webinar – Tackling The Non-Human Identity Crisis

As the landscape of Non-Human Identities (NHI) continues to expand, managing and securing these identities has become one of the most pressing challenges for organizations today. With automation and the increasing reliance on machine-to-machine communication, the stakes for securing these entities have never been higher. Did you know that over 80% of cloud breaches involve mismanaged or unauthorized machine identities?

Lalit Choda, founder of the Non-Human Identity Management Group, and Dwayne McDaniel, Senior Developer Advocate at GitGuardian, have an in-depth discussion on “Tackling the Non-Human Identity Crisis” packed with actionable insights, real-world examples, and strategies for staying ahead in an evolving threat landscape.

In this webinar, we explore why NHIs are at the heart of modern security strategies and how integrating secrets managers and advanced security tools can mitigate risks and enhance your overall security posture.

Key topics covered :

  • Background to why we founded the Non-Human Identity Management Group
  • What are NHIs and why are they harder to manage
  • The top risks associated with NHIs
  • Key lifecycle processes for managing NHIs
  • Secrets Sprawl: Practical solutions for controlling secrets proliferation across your environments.
  • NHI solutions, toolsets and the market
  • GitGuardian’s approach to Secrets Security and NHI Governance

Webinar – The 2025 Cybersecurity Landscape

Takeaways from the discussion on NHIs with Lalit Choda and Heather Flanagan on Episode 78 of Identerati Office Hours

⚡Naming is unclear: the industry likes NHI–because it conveys the gravity and everyone sort of knows what you mean; but we also say “workload”, “software”, “ai agent”, and other terms.

⚡Size of the challenge is unclear: no one has done a census of workload identities. If each app on each device is unique, the numbers start to add up quickly. Even more identities act on behalf of an enterprise versus a person.

⚡ Like for humans, non-human identity requires proofing (“has the software been changed and should I trust it to interact?”), authentication (“is this the same piece of software I proofed”), authorization (“what is the privilege level of this authenticated entity”) and governance (“why does this NHI need this level of access”). There is little enterprise IT tooling to address these NHI challenges, but a number of cybersecurity startups and encumbents are coming to the rescue!

⚡ Assuming we properly proof and authenticate an NHI, it’s a real challenge for enterprises to understand what that NHI is entited to do, and WHY. Mike worries that there is a disconnect between what the company leadership expects and assumes about its cybersecurity posture, and the reality of the challenges faced by the IT team.

⚡ Standards are just evolving to address this challenge. OpenID Connect does a great job mapping person identity. OpenID is built on OAuth. But the OAuth WG can’t address all the issues raised by software identity. So other entire workgroups are forming at the IETF to address workload identity (WIMSE), provenance (SCITT)and even how identity systems themselves should interoperate (SPICE).

⚡ Yes, AI adds a new existential dimension to NHI management. How will enteprises and people set the boundaries in which the AIs acting on their behalf may transact? This will put stress on all the joints of the NHI ecosystem–proofing, authentication, authorization and goverance.

⚡ “Attestation” is the esoteric word of the year in 2024. “Attestations” enable a workload to assert what’s true about themselves: I’m this kind of workload, running on this hardware, presenting these JWTs that represent certain authorizations and information. And the attestation may also include a public key that allows me to authenticate if I return.

⚡ What is an identity? The derivation of the word is from the late “idem” meaning “same”. So it’s interesting that in the IT space, we use identity to mean uniqueness, when the rest of the world associates it with things that we share. And having an identifier does not mean you have an identity–my house has a unique address, but it doesn’t have agency. So an identity is something that has a unique identifier, that transacts?

View the full podcast here.

Podcast – Non-Human Identities – The Silent Risk In Cloud Security

Lalit Choda, founder of the Non-Human Identity Management Group, joins Nauman Mustafa for an episode of Access Granted by Britive, where they explore how and why Non-Human Identities have become a significant security risk and what organizations can do to address them.

Key discussion topics include:

  • What’s considered an NHI? Examples include API keys, service accounts, automations, and more.
  • How static credentials, secrets sprawl, and stale accounts create vulnerabilities and increase the attack surface. –
  • Practical steps for organizations, including scanning repos for hard-coded credentials, cycling tokens, and creating a full NHI inventory.
  • The importance of Zero Standing Privileges (ZSP) and just-in-time (JIT) access to securing NHIs without impeding developer agility.
  • The intersection of AI, NHIs, and security – and balancing innovation with robust protection

🎧 Listen to Access Granted on Spotify: https://open.spotify.com/show/7ukJOqUhDmTRj2pm3ykibS

KeyNote Talk on Non-Human Identities at WhyNotIAM Conference

Our NHI Mgmt Group was a platinum sponsor at the WhyNotIAM Event in Bengaluru, India on 16th November 2024. Our Founder Lalit Choda gave a Key Note Talk on NHIs covering :

  • What Are Non-Human Identities
  • Types of NHIs and where they are used
  • The NHI Challenge
  • Top NHI Issues
  • The NHI Market
  • Overview of the NHI Mgmt Group
  • NHI Mgmt Group Mission Statement

Top 10 Non-Human Identity Issues

Here is our Top 10 Non-Human Identity (NHI) Issues :

1. Plain-Text / Unencrypted Credentials – organisations will find that many NHIs have been hard-coded into source-code repositories and therefore can be easily discovered by both External and Internal Threat Actors.

2. Full Inventory of Non-Human Accounts – obtaining an inventory of all NHIs is very challenging, as there could be many platforms, end-points, directory services, cloud integrations where these NHIs exist.

3. Stale / Inactive Accounts – due to weak lifecycle process, a lack of visibility of usage information and a lack of inventory, many NHIs end up inactive. This increases the attack surface area. We have found orgs where some accounts have not been used for 20+ years and in excess of 50% of the accounts are stale / inactive.

4. Lack of Account Ownership – after addressing inventory issues, the next key thing that needs to be done is ensuring we identify an owner for each NHI, so we know who to contact to drive hygiene/remediation activities or when an NHI account get’s compromised

5. Humans Using Non-Human Accounts – humans using NHIs has always been a problem, as it has been very easy to bypass controls and use a NHI account to access assets/data. With the focus on Privilege Access Management (PAM), humans have started to lose permanent access to environments, in particular production – rather than use PAM controls they have shifted to using NHI accounts.

6. Excessive Privileges – NHIs in general are highly privileged accounts, but we see in many cases NHIs are given excessive privileges, when much lower permissions would suffice.

7. Lack of Credential Cycling – cycling / rotating NHIs is a very challenging for a number of reasons e.g. lack of passwordLastChange information, unknown dependencies that could cause operational impact, changes required to application code/config, lack of vaulting of credentials, lack of end-point cycling capabilities.

8. Lack of Environment Segregation – we see many cases where the same NHI is used in product and non-production environment, increasing the risk of lateral movement.

9. Sharing of Credentials across Apps – we see many examples where NHIs are shared across applications, which breaks principles of need-to-have and least-privilege. This also makes things like password cycling much more complex.

10. Non-Complex Passwords – NHI passwords have been found to be non-complex and therefore prone to password guessing attacks.

What’s In Your Top-10 ?

Want to know more – view our white paper on Managing Non-Human Identity Risks that covers this risks in much more detail or watch our Animated Video above.

Overview Of The Non-Human Identity Management Group

Our animated video explains about our Non-Human Identity Management Group

The Non-Human Identity Management Group is the market leading Research and Advisory group that helps organisations manage the significant risk exposure from Non-Human Identities (NHIs)

We provide Independent Guidance and Advice for clients looking to manage the risks around Non-Human Identities – our team has been advising, establishing and managing global regulatory IAM / NHI programs for over 25 years at major financial institutions.

The Non-Human Identity Management Group is the market leading Research and Advisory group that helps organisations manage the significant risk exposure from Non-Human Identities (NHIs) i.e. Service Accounts, Machine Identities, Workload Identities, API Keys, OAuth Tokens, Certificates, Secrets.

Our NHI Mgmt Group was founded by an IAM Industry Veteran, who has managed some of the largest global regulatory NHI programs, author of major White-Papers and Research Articles on NHIs, KeyNote speaker, established the thriving NHI LinkedIn Community Group and recognised as the #1 NHI Evangelist / Voice in the industry.

We have the most comprehensive Knowledge Centre on NHIs including foundational Articles on NHIs, Industry White-Papers, Major Breaches, Research Reports, Blogs, Educational Videos, Industry Surveys, Newsletters as well as details of Products that support the risk management of NHIs.

#1 Authority in NHI Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs).

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.