NHI visibility and lifecycle control: what teams need to fix first

TL;DR: Non-human identities are multiplying across cloud, SaaS, DevOps, AI, and third-party integrations, yet many organisations still lack visibility, ownership, and lifecycle control, according to Oasis Security. The real issue is not just secret sprawl but governance built for identities that are easier to inventory than machine accounts with on-demand creation and hidden dependencies.

NHIMG editorial — based on content published by Oasis Security: Breaking Down Non Human Identity Security: 5 Critical Challenges in 2025

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.

Questions worth separating out

Q: How should security teams handle non-human identity sprawl in cloud and SaaS environments?

A: Security teams should start with discovery that spans cloud, SaaS, code, and automation systems, because NHI sprawl rarely exists in one place.

Q: Why do service accounts and API keys create more governance risk than human identities?

A: Service accounts and API keys are often created outside formal identity workflows, reused across systems, and left active after the original need changes.

Q: What breaks when secrets are hardcoded into DevOps pipelines?

A: Hardcoded secrets break rotation, ownership, and offboarding at the same time.

Practitioner guidance

• Inventory machine identities across every control plane Scan cloud accounts, SaaS platforms, CI/CD systems, and legacy environments together so service accounts, API keys, and tokens are all captured in one governed inventory.
• Bind each NHI to ownership and expiry Assign a named owner, purpose, and review date to every discovered machine identity so orphaned credentials can be identified before they become permanent dependencies.
• Move pipeline secrets out of code Replace hardcoded credentials in repositories and automation tooling with vault-managed secrets and rotation policies that can be enforced without manual exceptions.

What's in the full article

Oasis Security's full blog post covers the operational detail this post intentionally leaves for the source:

• How the vendor maps NHI discovery across cloud, SaaS, DevOps, AI, legacy, and third-party environments
• The specific strategic approaches the vendor recommends for visibility, secrets management, and lifecycle governance
• The vendor's implementation framing for policy-driven governance across hybrid and multi-cloud environments
• Examples of how the vendor positions NHI risk as a security and operational issue, not only an IT issue

👉 Read Oasis Security's breakdown of the five critical NHI security challenges in 2025 →

NHI visibility and lifecycle control: what teams need to fix first?

Explore further

View Full Forum →  |  NHI Foundation Course →