Notifications
Clear all
Topic starter
25/06/2026 2:44 pm
TL;DR: Renee Guttmann argues that rapid AI adoption has created a gap between non-human identity risk and traditional IAM, with non-human identities now outnumbering human ones by ratios exceeding 80:1 in some organisations, according to Aembit. The key issue is not just access volume but governance assumptions that were built for static systems and human users.
NHIMG editorial — based on content published by Aembit: 5 Questions for Renee Guttmann, Adviser to Aembit
By the numbers:
- Today, non-human identities outnumber human ones by ratios exceeding 80:1, depending on the organization.
Questions worth separating out
Q: How should security teams govern AI agent identity in enterprise environments?
A: Security teams should govern AI agent identity the same way they govern any high-impact non-human identity, with explicit ownership, tightly scoped entitlements, and defined retirement conditions.
Q: Why do AI agents create more IAM risk than static workloads?
A: AI agents create more IAM risk because their access can be exercised continuously, at machine speed, and inside dynamic workflows.
Q: What do teams get wrong about non-human access governance?
A: Teams often assume non-human access is just a secrets management problem.
Practitioner guidance
- Inventory every AI agent and workload identity Build a complete register of AI agents, service accounts, API tokens, certificates, and other non-human credentials.
- Bind each credential to a lifecycle owner Assign an accountable owner for creation, rotation, review, and retirement of every non-human credential.
- Shorten privilege scope around task boundaries Limit AI agent and workload permissions to the smallest task scope that still supports business flow.
What's in the full article
Aembit's full interview covers the operational detail this post intentionally leaves for the source:
- Renee Guttmann’s own examples for explaining non-human access risk to executives and boards.
- Her view on what mature lifecycle processes should do for AI workload credentials in practice.
- The article’s broader interview context on how security leaders should guide AI adoption without slowing business execution.
👉 Read Aembit's interview on AI agent identity and non-human access risk →
AI agent identity governance , are your IAM controls keeping up?
Explore further
25/06/2026 3:51 pm
AI agent identity is now a governance category, not a narrow implementation detail. The article is right to frame AI and workload access as part of mainstream IAM, because the boundary between machine identity and business identity is dissolving. When agents can operate inside workflows, the programme has to govern actor, scope, and retirement together. The practitioner conclusion is that AI identity now belongs in identity architecture and board reporting, not just engineering discussion.
A few things that frame the scale:
- Today, non-human identities outnumber human ones by ratios exceeding 80:1, depending on the organization, according to Ultimate Guide to NHIs , Why NHI Security Matters Now.
- The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
Q: Who should be accountable for AI workload credentials and lifecycle controls?
A: Accountability should sit with the teams that own the business process and the identity controls together, not with security alone. The identity owner needs to be able to answer why the credential exists, when it must expire, and what happens if it is misused. That is the standard boards should expect for non-human access.
👉 Read our full editorial: AI agent identity governance is outpacing traditional IAM controls
