Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Non-human identity blind spots: what IAM teams need to do now


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: Non-human identities now outnumber human users 82 to 1 in the first half of 2025, and 50% of organisations reported NHI-linked breaches in the past twelve months, according to CyberArk and NHIMG. The governance problem is not volume alone but unmanaged credentials, missing ownership, and controls that still assume human-paced access patterns.

NHIMG editorial — based on content published by Soffid: Non-human identities as the hidden risk in modern cybersecurity

By the numbers:

Questions worth separating out

Q: How should security teams govern non-human identities alongside human accounts?

A: Security teams should govern non-human identities in the same identity programme as human accounts, but with controls tuned to machine behaviour.

Q: Why do machine identities create more risk than many teams expect?

A: Machine identities create more risk because they are numerous, persistent, and often invisible to standard access review processes.

Q: What do organisations get wrong about vaulting secrets?

A: Organisations often treat vaulting as the finish line when it is only one control in the chain.

Practitioner guidance

  • Build a complete NHI inventory Map service accounts, API keys, tokens, and certificates to owners, business purpose, and system scope.
  • Tie rotation to lifecycle ownership Require each machine credential to have an owner, rotation cadence, and retirement trigger.
  • Reduce privilege before a secret is exposed Review every non-human identity for access that exceeds its task scope, then remove standing permissions that exist only to avoid operational friction.

What's in the full article

Soffid's full article covers the operational detail this post intentionally leaves for the source:

  • The article's own framing of why NHIs sit outside traditional controls in many environments.
  • The practical examples of how centralised IAM, PAM, and IGA are positioned to reduce blind spots.
  • The vendor's description of vaulting, automatic rotation, least privilege, and sanitised logging as a combined operating model.

👉 Read Soffid's article on non-human identity blind spots in modern cybersecurity →

Non-human identity blind spots: what IAM teams need to do now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

NHI sprawl is the control problem, not just the inventory problem. The article correctly points to proliferation, but the deeper issue is that identity programmes still treat many machine credentials as operational clutter rather than governed identities. Once service accounts and tokens outnumber human users at scale, unmanaged access becomes a structural risk, not an exception. Practitioners should treat visibility as a prerequisite to policy enforcement, not a dashboard metric.

A few things that frame the scale:

A question worth separating out:

Q: Which framework should teams use for non-human identity governance?

A: OWASP NHI guidance is the most direct starting point for machine identity governance, with NIST CSF useful for linking discovery, protection, detection, and response. Teams should use the framework to structure inventory, rotation, and access review work rather than treating NHI as an isolated technical problem.

👉 Read our full editorial: Non-human identity blind spots are widening enterprise attack surface



   
ReplyQuote
Share: