Notifications
Clear all
Topic starter
14/05/2026 4:08 pm
TL;DR: Higher education faces identity-driven exposure because access often outlives roles, is granted through fragmented systems, and now extends to non-human identities and AI agents, according to SailPoint. The governing problem is not openness itself but the absence of adaptive lifecycle control, visibility, and least privilege across distributed campus environments.
NHIMG editorial — based on content published by SailPoint: The hidden crisis in higher education, why adaptive identity is a strategic priority
By the numbers:
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
Questions worth separating out
Q: How should universities govern non-human identities without slowing collaboration?
A: Universities should govern non-human identities by tying every credential to an owner, purpose, and expiry condition.
Q: Why do shared accounts create such a large security problem in higher education?
A: Shared accounts remove attribution, weaken accountability, and make it hard to prove whether access is still legitimate.
Q: What is the difference between access review and lifecycle governance for NHI risk?
A: Access review checks whether permissions still look reasonable at a point in time, while lifecycle governance manages the entire identity from creation to offboarding.
Practitioner guidance
- Inventory all non-human identities in research and operations Create a single register for service accounts, API keys, tokens, certificates, and autonomous agents.
- Automate offboarding across academic and contractor roles Connect HR, student, and research affiliation changes to immediate deprovisioning workflows.
- Eliminate shared accounts where attribution matters Replace communal logins in labs, libraries, and specialist systems with named identities and delegated access.
Universities should therefore inventory secrets in the same control plane as user access and audit trails?
👉 Read SailPoint's analysis of adaptive identity risks in higher education →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
14/05/2026 6:59 pm
A few things worth adding from our research at NHI Mgmt Group.
Adaptive identity is now the correct control model for higher education. Static rules fail when access changes every term, every project, and every collaboration cycle. Universities need governance that responds to affiliation, risk, and task context, not just initial approval. The practitioner conclusion is simple: if access cannot adapt, it will drift into exposure.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
A question worth separating out:
Q: When should institutions treat AI agents as identities rather than tools?
A: Institutions should treat AI agents as identities when the agent can authenticate, call APIs, move data, or take action without a person supervising each step. At that point, the agent affects access decisions and must be governed with the same ownership, logging, and revocation discipline as other non-human identities.
👉 Read our full editorial: Adaptive identity governance for higher education NHI risk
