Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

NHI sprawl across cloud and AI: what do teams need to govern?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9439
Topic starter  

TL;DR: As enterprises spread workloads across hybrid cloud, containers, and agentic AI, non-human identities now make up more than 98% of identities and traditional IAM cannot keep pace, according to Token Security. The governing assumption has changed: identity is no longer a stable record to review, but a fast-moving data problem that must be correlated before remediation is safe.

NHIMG editorial — based on content published by Token Security: Securing non-human identities across cloud and agentic AI

By the numbers:

  • Organizations that describe themselves as confident in their AI deployment actually experience a 72% security incident rate, compared to 33% for those who remain cautious.
  • Only 44% of organizations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
  • When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.

Questions worth separating out

Q: How should security teams govern non-human identities across hybrid cloud environments?

A: Start with a single inventory that ties each non-human identity to its owner, creation source, runtime use, and secret state.

Q: Why do service accounts and tokens create more risk in cloud-native environments?

A: They are often created faster than teams can review them, reused across systems, and left with permissions that outlive the workload they support.

Q: What breaks when AI agents use unmanaged credentials?

A: The governance model breaks because the same credential can be used by an actor that changes tools, actions, and timing at runtime.

Practitioner guidance

  • Build one authoritative NHI inventory Link each service account, token, API credential, and workload identity to the system that created it, the team that owns it, and the runtime it serves.
  • Correlate runtime use before automating remediation Trace how each identity is actually consumed across cloud, container, and CI/CD environments before disabling it or narrowing access.
  • Separate ephemeral workloads from static access patterns Treat short-lived containers, serverless functions, and agentic workflows as a distinct governance class with tighter scope and shorter credential lifetimes.

What's in the full article

Token Security's full blog covers the operational detail this post intentionally leaves for the source:

  • A walkthrough of the NHI Risk Graph architecture and how it correlates identity creation, runtime use, and secret exposure.
  • Examples of automation campaigns for zero trust cleanup, shadow AI discovery, and secret sprawl control.
  • Details on remediation intelligence, including ownership mapping, infrastructure linkage, and usage-impact simulation.
  • Platform integrations across AWS, Azure, GCP, Kubernetes, CI/CD, secrets managers, and SIEM tooling.

👉 Read Token Security's analysis of NHI security across cloud and agentic AI →

NHI sprawl across cloud and AI: what do teams need to govern?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8923
 

NHI governance has become a correlation discipline, not an inventory discipline. The article is right to center unified telemetry, because distributed identity systems fail first at linkage, not at storage. When ownership, runtime use, secret state, and infrastructure dependency live in different tools, remediation decisions are made with incomplete context. Practitioners need to treat correlation depth as a governance control in its own right.

A few things that frame the scale:

  • Only 44% of organizations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to The 2026 Infrastructure Identity Survey.
  • Another finding from that survey shows that 70% of organizations grant AI systems more access than they would give a human employee performing the exact same job, which is a direct warning sign for identity teams.

A question worth separating out:

Q: Who should own NHI lifecycle decisions in a large enterprise?

A: Ownership should sit with the team that can answer three questions: who created the identity, what workload or agent uses it, and what will fail if it is removed. In practice, that means platform, identity, and application teams must share responsibility for lifecycle control.

👉 Read our full editorial: Token Security's NHI governance model for cloud and AI sprawl



   
ReplyQuote
Share: