TL;DR: Hybrid and multi-cloud environments are multiplying non-human identities, with Gartner cited in the source article as forecasting nearly 45% growth in machine identities over two years, while mismanaged service accounts, API keys, and pipeline tokens widen the attack surface. The governance problem is not just volume, but inconsistent placement, visibility, and privilege control across machine identities.
NHIMG editorial — based on content published by Unosecur: Securing non-human identities in hybrid environments, Part 1
Questions worth separating out
Q: How should security teams govern service accounts in hybrid environments?
A: Security teams should treat service accounts as governed assets, not convenience credentials.
Q: Why do API keys and service accounts create different risk patterns?
A: API keys usually expose integration access, while service accounts often sit deeper in infrastructure and can inherit broader permissions.
Q: What breaks when machine identities are not inventoried across cloud and on-prem systems?
A: Without a complete inventory, teams cannot see where credentials live, which services depend on them, or who is responsible for removing them.
Practitioner guidance
- Create a placement inventory for every non-human identity Map service accounts, API keys, container identities, pipeline tokens, and device IDs to the systems they authenticate, the data they can reach, and the team responsible for them.
- Separate shared service accounts into workload-specific identities Replace reused credentials with workload-specific accounts where possible, then document ownership so revocation and offboarding can happen without guessing which service still depends on the account.
- Move hardcoded secrets out of code and into managed controls Scan repositories and CI/CD systems for embedded credentials, then migrate them to a secrets manager or managed identity pattern with explicit rotation and expiry handling.
What's in the full article
Unosecur's full blog covers the operational detail this post intentionally leaves for the source:
- Examples of each NHI type in cloud, on-premises, CI/CD, container, and IoT environments
- The article's own incident examples showing how exposed keys and shared service accounts are exploited
- Practical placement guidance for teams deciding where machine identities should live and who should manage them
👉 Read Unosecur's blog on securing non-human identities in hybrid environments →
NHI placement in hybrid environments: what teams are missing?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
Machine identity placement is now a governance problem, not an inventory problem. The article shows that NHIs live across cloud, on-prem, container, CI/CD, and IoT estates, which means teams are really governing where trust is instantiated, not just how many credentials exist. That shifts the identity conversation from discovery alone to placement-aware governance. Practitioners should treat placement as part of entitlement design, not as a postscript.
A few things that frame the scale:
- 59.8% of organisations see value in a solution that simplifies non-human access management and introduces dynamic ephemeral credentials, according to The 2024 Non-Human Identity Security Report.
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts.
A question worth separating out:
Q: Who should own non-human identity lifecycle decisions in the enterprise?
A: Ownership should sit with the team that runs the workload, with IAM or security providing policy and oversight. If nobody owns the lifecycle, credentials persist after projects change, services are retired, or teams reorganise. Clear accountability matters because NHI governance fails fastest when access remains live after the business reason for it has disappeared.
👉 Read our full editorial: Securing non-human identities in hybrid environments