Notifications
Clear all
Topic starter
06/06/2026 2:02 am
TL;DR: Non-human identities now outnumber human identities by 20 to 40 times, and Oasis Security says AI adoption is widening machine-identity risk through LLMjacking and regulated-industry scrutiny under PCI DSS 4.0. The governing assumption is breaking: access models built for slower human review cycles cannot keep pace with high-volume NHI estates.
NHIMG editorial — based on content published by Oasis Security: Reflecting on our journey at Oasis and looking ahead
By the numbers:
- NHIs have exploded in numbers, now outpacing human identities by 20 to 40 times.
Questions worth separating out
Q: How should security teams govern non-human identities at enterprise scale?
A: Security teams should govern NHIs by linking each identity to an owner, a business purpose, and a lifecycle state.
Q: Why do machine identities create more risk than human accounts in many environments?
A: Machine identities often outnumber human users by a wide margin, change faster, and are less visible to traditional governance processes.
Q: What do security teams get wrong about AI access risk?
A: Many teams focus on the model while ignoring the identity path that reaches it.
Practitioner guidance
- Map every high-value machine identity to an owner and purpose Require a named business or technical owner for every service account, token, and API key that touches sensitive systems.
- Classify AI-access credentials as privileged NHI assets Separate credentials that can reach LLMs, agents, or AI pipelines from ordinary application secrets.
- Align privileged account governance to PCI DSS evidence needs Document least-privilege decisions, interactive-login restrictions, and account purpose for system and application accounts before audit season.
What's in the full article
Oasis Security's full blog post covers the operational detail this post intentionally leaves for the source:
- The four-engine operating model for discovery, context reconstruction, ownership discovery, and policy-driven BYOI orchestration.
- The article's view on how automated rotation and attestation fit into a broader NHI management workflow.
- The PCI DSS 4.0 framing for system and application accounts with elevated privileges.
- The author's 2025 predictions for AI-driven NHI risk and regulated-sector scrutiny.
👉 Read Oasis Security's reflection on NHI growth, compliance pressure, and LLMjacking risk →
NHI proliferation and LLMjacking: what IAM teams need to know?
Explore further
06/06/2026 3:30 am
Machine identity sprawl is now the primary scaling failure in identity governance. The article’s 20 to 40 times ratio is not just a volume statistic, it describes a structural mismatch between the pace of machine identity creation and the cadence of human-led governance. When NHIs multiply faster than teams can assign ownership, the control surface becomes opaque. The practitioner conclusion is simple: governance programmes that still assume small, manually managed inventories are already mis-sized for the environment they now face.
A few things that frame the scale:
- NHIs outnumber human identities by 25x to 50x in modern enterprises, according to the Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: How can regulated industries prove NHI governance is actually working?
A: They should be able to show who owns each privileged machine identity, why it exists, what it can access, and when it will be removed. Audit evidence should also demonstrate that least privilege, login restrictions, and revocation processes are operating consistently, not just documented on paper.
👉 Read our full editorial: NHI proliferation and LLMjacking are reshaping identity governance
