Notifications
Clear all
Topic starter
06/06/2026 1:57 am
TL;DR: 2025 exposed a basic identity security failure: human-centric access models could not govern autonomous AI agents or the rapid growth of non-human identities, according to Oasis Security. The real shift is that identity now has to govern action, intent, and accountability, not just authentication and role assignment.
NHIMG editorial — based on content published by Oasis Security: How 2025 Changed the Way We Think About Identity Security
By the numbers:
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: How should security teams govern AI agents that act autonomously?
A: Security teams should govern autonomous agents with runtime policy, not just static entitlements.
Q: Why do NHIs create more IAM risk than human accounts?
A: NHIs create more IAM risk because they are numerous, often overprivileged, and frequently unmanaged across creation, monitoring, and offboarding.
Q: What breaks when identity governance is built only for human users?
A: Access review, joiner-mover-leaver processes, and periodic certification break down when the identity is a service account or autonomous agent.
Practitioner guidance
- Inventory machine identities by owner and lifecycle state Build a complete inventory of service accounts, API keys, certificates, and AI agent identities, then assign a named owner, purpose, and revocation path for each one.
- Replace role-only thinking with action-bound policy Define what each non-human identity may do, which tools it may use, and under what conditions those actions are allowed.
- Separate human, NHI, and autonomous governance controls Do not force one access review, one offboarding process, or one certification cadence across all identity types.
What's in the full article
Oasis Security's full blog covers the operational detail this post intentionally leaves for the source:
- How the vendor frames Agentic Access Management as a governance model for autonomous AI decisions
- The practical distinction between intent-aware access and classic role-based assignment
- The NHI provisioning and Scout capabilities as described by the vendor, including how they fit into a lifecycle model
- The vendor's own explanation of the Agentic Access Management Governance Framework and how it is positioned for practitioners
👉 Read Oasis Security's analysis of how identity security changed in 2025 →
AI agents and NHIs in 2025: are your controls keeping up?
Explore further
06/06/2026 3:21 am
Human-centric identity security assumed that access would be reviewable because behaviour would remain tied to a person. That assumption was designed for people who log in, request access, and leave an artefact for certification. It fails when AI agents and NHIs act at machine speed, because the identity can consume, combine, and discard access outside the review window. The implication is that IAM programmes must stop treating review cadence as a universal control boundary.
A few things that frame the scale:
- NHIs outnumber human identities by 25x to 50x in modern enterprises, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which explains why inventory and ownership remain weak control points.
A question worth separating out:
Q: How can teams separate NHI governance from autonomous AI governance?
A: Teams should separate them by the behaviour being controlled. NHI governance focuses on lifecycle, secrets, privilege, and revocation for non-autonomous machine identities. Autonomous AI governance adds runtime decision-making, tool selection, and execution timing, so policy must also control action sequences and approval boundaries.
👉 Read our full editorial: Identity security in 2025 moved from access to governed action
