Non-human identity security strategy: where teams keep falling short

TL;DR: NHIs are often over-privileged, poorly visible, and managed with weaker controls than human identities, and Cerbos cites examples spanning service workloads, OAuth apps, and AI agents alongside CyberArk findings that 50% of organisations saw machine-identity-linked breaches in the past year. The real issue is not simply more automation, but governance that assumes machines can be trusted without the same lifecycle, scoping, and audit discipline as people.

NHIMG editorial — based on content published by Cerbos: securing non-human identities in modern tech stacks

By the numbers:

• 50% of surveyed organisations had a breach in the past year tied to compromised machine identities.

Questions worth separating out

Q: How should security teams inventory non-human identities across the stack?

A: Start with a single discovery process that covers service accounts, API keys, certificates, OAuth apps, CI/CD secrets, and AI agents.

Q: When do short-lived credentials reduce NHI risk most effectively?

A: They help most when an organisation also has fast revocation, narrow scoping, and clean ownership for every identity.

Q: What do security teams get wrong about workload identity standards?

A: They often treat standards like SPIFFE or OIDC machine-to-machine support as a finished solution.

Practitioner guidance

• Map every NHI domain into one inventory Include production service accounts, CI/CD secrets, OAuth applications, certificates, and AI agents in the same discovery process so owners, scopes, and runtime locations are visible in one place.
• Set lifecycle metrics that expose weak controls Track percentage of scoped short-lived credentials, time-to-revoke for compromised identities, orphaned account cleanup, and rotation coverage so governance decisions are based on measurable exposure.
• Replace static secrets with standards-based workload identity Use SPIFFE, OIDC machine-to-machine patterns, or equivalent cryptographic identity approaches where platforms support them, and reserve shared secrets for the smallest possible exception set.

What's in the full article

Cerbos' full article covers the operational detail this post intentionally leaves for the source:

• A six-step NHI security framework with practical sequencing from discovery through ownership
• Examples of standards selection, including SPIFFE, WIMSE, SPICE, OIDC M2M, and FDO
• The specific metrics Cerbos recommends for tracking rotation, revoke speed, and orphaned identities
• A breakdown of how security, IAM, DevOps, and application teams split NHI responsibilities

👉 Read Cerbos' guide to securing non-human identities in modern enterprises →

Non-human identity security strategy: where teams keep falling short?

Explore further

View Full Forum →  |  NHI Foundation Course →