NHIs vs. AI agents: are your identity controls keeping up?

TL;DR: NHIs already outnumber human users by 500:1 in some environments and credential abuse remains a leading attack vector, while a 2026 Gravitee survey found only 24.4% of organisations have full visibility into AI agents, according to Saviynt and cited research. Identity governance now has to handle predictable machine identities and runtime-deciding agents with different control assumptions.

NHIMG editorial — based on content published by Saviynt: NHIs vs. AI Agents: Why Your Identity Program Needs to See Both

By the numbers:

• The vast majority of NHIs sit completely outside formal governance programs, with machine-to-human ratios reaching 500:1.
• Only 24.4% of organizations have full visibility into which AI agents are communicating with each other.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.

Questions worth separating out

Q: How should security teams govern AI agents and NHIs differently?

A: Security teams should govern NHIs as predictable machine identities and AI agents as runtime actors that can alter behaviour after authentication.

Q: Why do AI agents create more risk than service accounts?

A: AI agents create more risk because they can decide which tools to use, which systems to query, and when to act, often within one workflow.

Q: What breaks when AI agents are managed like ordinary machine identities?

A: What breaks is the assumption that access scope can be fully understood from provisioning data and quarterly review.

Practitioner guidance

• Inventory AI agents separately from NHIs Maintain a distinct register for agents, service accounts, tokens, and certificates so predictable machine identities are not mixed with runtime-deciding systems.
• Map delegation chains end to end Trace agent-to-agent and agent-to-tool handoffs so every credential creation, session, and downstream action has attributable context.
• Separate policy scoping from behaviour monitoring Use static entitlements for NHI accounts, but add runtime monitoring for agents that can choose tools or adjust execution paths.

What's in the full article

Saviynt's full blog post covers the operational detail this post intentionally leaves for the source:

• How the vendor maps AI agents to identity control-plane decisions across discovery, governance, and monitoring.
• The article's practical checklist for distinguishing service-account behaviour from agent behaviour in live environments.
• Examples of how agent-to-agent handoffs and MCP-linked tool access change audit and ownership workflows.
• The source discussion of visibility gaps and lifecycle questions that implementation teams will need when they move from strategy to control design.

👉 Read Saviynt's analysis of NHIs vs. AI agents and identity governance →

NHIs vs. AI agents: are your identity controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →