Notifications
Clear all
Topic starter
25/06/2026 2:37 pm
TL;DR: Identity tooling is converging around NHI and agent governance rather than separate control planes, according to Saviynt. The practical issue is not product breadth but whether identity teams can enforce lifecycle, privilege, and delegation controls across machine and agent identities at runtime.
NHIMG editorial — based on content published by Saviynt: Explore Saviynt's latest developments in identity, NHI, and AI agent governance
By the numbers:
- Saviynt says it protects over 100 million identities, and counting.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
Questions worth separating out
Q: How should security teams govern AI agents that rely on non-human credentials?
A: Security teams should govern the agent and the credential as a linked control set.
Q: Why do AI agents complicate least privilege for identity teams?
A: AI agents complicate least privilege because their runtime choices are not always known at provisioning time.
Q: What breaks when machine identities are treated like human accounts?
A: What breaks is the lifecycle model.
Practitioner guidance
- Separate identity issuance from runtime authority Define which permissions are granted at provisioning time and which are authorized only at execution time.
- Trace agent access back to the underlying NHI For every AI agent or tool-connected workflow, record the service account, token, or certificate that actually executes the action.
- Shorten entitlement exposure windows Use task-scoped access, automatic expiry, and revocation evidence for machine and agent credentials.
What's in the full article
Saviynt's full newsroom post covers the operational detail this post intentionally leaves for the source:
- The exact product areas grouped under Saviynt's identity cloud, including AI-powered identity, NHI, PAM, and ISPM for AI agents.
- How Saviynt positions MCP Server in relation to AI-agent access and tool connectivity.
- The vendor's own description of the use cases it wants to support across human and non-human access governance.
- The broader newsroom context around strategic partnerships, solution enhancements, and platform announcements.
👉 Read Saviynt's newsroom update on identity cloud, NHI, and AI agent governance →
Saviynt's identity cloud for NHI and AI agents: what changes now?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
25/06/2026 3:44 pm
Identity platforms are collapsing toward a shared governance layer for humans, NHIs, and AI agents. Saviynt's framing reflects a wider market shift: the same control plane is now expected to handle people, service accounts, workload identities, and agentic access. That matters because privilege, lifecycle, and audit questions no longer stop at one actor type. Practitioners should expect identity governance to become more consolidated, not more specialised.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
A question worth separating out:
Q: How do teams decide whether MCP-connected access needs extra controls?
A: Teams should apply extra controls whenever a protocol exposes tools or data that can be selected at runtime. MCP-connected access needs explicit scope checks, logging, and revocation because the protocol widens the identity boundary beyond authentication. If the tool can act on privileged data, the connection should be governed like a sensitive access path.
👉 Read our full editorial: Saviynt's identity cloud puts NHI and agent governance in focus
