TL;DR: Non-human identities now outnumber human users 82 to 1 in the first half of 2025, and 50% of organisations reported NHI-linked breaches in the past twelve months, according to CyberArk and NHIMG. The governance problem is not volume alone but unmanaged credentials, missing ownership, and controls that still assume human-paced access patterns.
NHIMG editorial — based on content published by Soffid: Non-human identities as the hidden risk in modern cybersecurity
By the numbers:
- In the first half of 2025, non-human identities outnumbered human users by a ratio of 82 to 1, according to CyberArk.
- 77% acknowledge that every undiscovered machine identity is a latent vulnerability, according to CyberArk.
Questions worth separating out
Q: How should security teams govern non-human identities alongside human accounts?
A: Security teams should govern non-human identities in the same identity programme as human accounts, but with controls tuned to machine behaviour.
Q: Why do machine identities create more risk than many teams expect?
A: Machine identities create more risk because they are numerous, persistent, and often invisible to standard access review processes.
Q: What do organisations get wrong about vaulting secrets?
A: Organisations often treat vaulting as the finish line when it is only one control in the chain.
Practitioner guidance
- Build a complete NHI inventory Map service accounts, API keys, tokens, and certificates to owners, business purpose, and system scope.
- Tie rotation to lifecycle ownership Require each machine credential to have an owner, rotation cadence, and retirement trigger.
- Reduce privilege before a secret is exposed Review every non-human identity for access that exceeds its task scope, then remove standing permissions that exist only to avoid operational friction.
What's in the full article
Soffid's full article covers the operational detail this post intentionally leaves for the source:
- The article's own framing of why NHIs sit outside traditional controls in many environments.
- The practical examples of how centralised IAM, PAM, and IGA are positioned to reduce blind spots.
- The vendor's description of vaulting, automatic rotation, least privilege, and sanitised logging as a combined operating model.
👉 Read Soffid's article on non-human identity blind spots in modern cybersecurity →
Non-human identity blind spots: what IAM teams need to do now?
Explore further
NHI sprawl is the control problem, not just the inventory problem. The article correctly points to proliferation, but the deeper issue is that identity programmes still treat many machine credentials as operational clutter rather than governed identities. Once service accounts and tokens outnumber human users at scale, unmanaged access becomes a structural risk, not an exception. Practitioners should treat visibility as a prerequisite to policy enforcement, not a dashboard metric.
A few things that frame the scale:
- 50% of organisations have suffered breaches linked to non-human identities in the past twelve months, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
Q: Which framework should teams use for non-human identity governance?
A: OWASP NHI guidance is the most direct starting point for machine identity governance, with NIST CSF useful for linking discovery, protection, detection, and response. Teams should use the framework to structure inventory, rotation, and access review work rather than treating NHI as an isolated technical problem.
👉 Read our full editorial: Non-human identity blind spots are widening enterprise attack surface