Notifications
Clear all
Topic starter
06/06/2026 1:50 am
TL;DR: Service accounts, OAuth apps, access keys, and AI agents all sit on the same identity layer, and just-in-time credentialing does not stop a prompt-injected agent from acting with perfectly scoped access, according to Clutch Security. The real issue is that identity governance still treats credentials as static when runtime intent and lineage now matter more than rotation cadence.
NHIMG editorial — based on content published by Clutch Security: From NHI Security to the Identity Platform for Everything That Isn't a Person
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
Questions worth separating out
Q: How should security teams govern AI agents that use non-human identities?
A: Security teams should govern AI agents through the same identity controls used for other non-human identities, but with added attention to runtime delegation and tool use.
Q: Why do just-in-time credentials not fully solve agentic AI risk?
A: Just-in-time credentials reduce standing exposure, but they do not validate the agent’s intent or prevent malicious instruction manipulation.
Q: What breaks when identity governance treats service accounts as static assets?
A: Static treatment breaks ownership, review, and revocation.
Practitioner guidance
- Map identity lineage for every non-human credential Trace each service account, API key, OAuth app, and agent token back to its owner, origin, storage location, and reachable systems.
- Separate trust from expiry in your control design Use short-lived credentials where appropriate, but do not treat expiration as proof of trust.
- Review agent deployment paths outside security approval flows Find where developers can introduce agents, tokens, or workload identities without explicit security ownership.
What's in the full article
Clutch Security's full analysis covers the operational detail this post intentionally leaves for the source:
- How the Identity Lineage® model is applied across service accounts, secrets, and agent access paths
- Why the vendor argues that periodic rotation is the wrong answer at scale for modern NHI estates
- Examples of how practitioners can think about agentic AI security as an extension of the credential layer
- The product framing behind the three-pillar model for NHI, secrets, and agentic AI security
👉 Read Clutch Security's analysis of identity lineage for NHI and agentic AI →
Identity as a continuum: are NHI controls ready for AI agents?
Explore further
06/06/2026 3:10 am
Identity lineage is the control model that current NHI inventories have been missing. Flat lists of keys and service accounts do not explain who created an identity, what it can reach, or how far compromise can move. Clutch Security is right to centre lineage because governance without relationship context is only partial visibility. Practitioners should treat lineage as the baseline for any credible NHI programme.
A few things that frame the scale:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: How do human IAM and NHI governance differ when agents are involved?
A: Human IAM focuses on interactive authentication, assurance, and user experience. NHI governance focuses on delegated access, credential lifecycle, and blast radius. When agents are involved, the two models meet at the delegation chain, so practitioners must govern both the human sponsor and the non-human actor.
👉 Read our full editorial: Identity as a continuum: what NHI governance means for agents
