Notifications
Clear all
Topic starter
06/06/2026 11:06 am
TL;DR: Nonhuman identities now outnumber human identities 144 to 1, and 97% carry excessive privileges while 71% are not rotated on time, according to Entro Security’s H1 2025 research. Human IAM controls do not map cleanly to machine identities, so governance has to shift toward lifecycle automation, granular scoping and just-in-time access.
NHIMG editorial — based on content published by Aembit: human and nonhuman identity controls and why they diverge
By the numbers:
- Nonhuman identities now outnumber human identities at a ratio of 144 to 1, according to Entro Security’s H1 2025 research, up from 92 to 1 just one year earlier.
- Entro’s research found that 97% of NHIs have excessive privileges and 71% are not rotated within recommended timeframes.
Questions worth separating out
Q: What breaks when organisations manage service accounts like human users?
A: Service accounts do not behave like people, so human IAM controls miss the real risks.
Q: Why do nonhuman identities increase lateral movement risk?
A: Nonhuman identities often carry broad, persistent access across cloud, SaaS and automation environments.
Q: How do security teams know if NHI controls are actually working?
A: Look for evidence that every machine identity has a named owner, a scoped purpose, and an expiry or revocation path.
Practitioner guidance
- Classify nonhuman identities separately from user accounts Create a distinct inventory for service accounts, API tokens, OAuth keys, automation credentials and AI agent identities.
- Reduce standing privilege before expanding discovery Review the highest-value databases, APIs and SaaS integrations first, then remove excess entitlements and narrow scopes before you attempt full estate cleanup.
- Automate lifecycle controls for every machine credential Enforce creation, renewal, expiry and revocation workflows for secrets that back NHIs.
What's in the full article
Aembit's full article covers the operational detail this post intentionally leaves for the source:
- Specific best-practice guidance for classifying and segmenting human versus nonhuman identities across SaaS and cloud estates
- Operational examples of granular access control, including workload-context policy enforcement for machine credentials
- Lifecycle automation guidance for provisioning, deprovisioning and revocation of NHIs at scale
- Authentication patterns for replacing long-lived secrets with identity- and posture-aware access decisions
👉 Read Aembit's analysis of human and nonhuman identity controls →
Nonhuman identity sprawl: what IAM teams need to change now?
Explore further
06/06/2026 11:41 am
Human-centric IAM is no longer the default control plane for modern identity estates. The article shows that machine identities now outnumber human identities at a scale that changes governance priorities, not just inventory counts. Service accounts, tokens and automation credentials behave as infrastructure primitives, so treating them as a human IAM edge case guarantees blind spots. Practitioners should treat NHI governance as a primary discipline, not a sub-feature of user access management.
Identity programmes are entering an NHI-first phase: the practical question is no longer whether to separate human and machine governance, but how quickly to do it before sprawl outpaces review cycles. That shift matters because credentials, ownership and lifecycle now drive most of the operational risk, not user login behaviour.
A question worth separating out:
Q: Who is accountable when a compromised NHI exposes data?
A: Accountability sits with the team that created, approved and operates the identity, not with the platform alone. NHI incidents often happen because ownership is diffuse across development, infrastructure and security. Governance frameworks should make ownership explicit, tie entitlements to business purpose and require revocation when that purpose ends.
👉 Read our full editorial: Human and nonhuman identity controls are diverging fast
