Notifications
Clear all
Topic starter
04/06/2026 6:42 pm
TL;DR: Reactive detection can spot some exposed or misused non-human identities, but it still leaves long-lived credentials, orphaned accounts, and autonomous machine activity outside effective control, according to Oasis Security. The real shift is from seeing NHIs to governing their lifecycle before exposure becomes exploitability.
NHIMG editorial — based on content published by Oasis Security: Proactive Non-Human Identity Security vs. Reactive Detection
By the numbers:
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: How should security teams handle NHI risk when visibility is high but control is weak?
A: Teams should treat visibility as an input, not an outcome.
Q: Why do reactive controls struggle with service accounts and API keys?
A: Reactive controls struggle because valid machine credentials can be abused without obvious behavioural deviation.
Q: What breaks when orphaned machine identities are left in place?
A: Orphaned identities break accountability first and containment second.
Practitioner guidance
- Move from detection to lifecycle ownership Assign an owner, purpose, and retirement condition to every service account, token, and API key.
- Shorten the usable life of exposed secrets Automate rotation, revocation, and replacement so a leaked credential stops being useful quickly, even when detection is delayed.
- Decommission orphaned machine identities at scale Search for identities that no longer map to an active system, developer, or workflow, then remove them before they accumulate privilege.
What's in the full article
Oasis Security's full blog covers the operational detail this post intentionally leaves for the source:
- The article's step-by-step breakdown of reactive detection versus proactive lifecycle control for machine identities.
- The specific lifecycle actions Oasis Security maps to provisioning, ownership assignment, rotation, and decommissioning.
- The article's examples of where cloud-native change, secret exposure, and AI agents create different control pressures.
- The vendor's own framing of visibility, baselining, and policy-driven access for non-human identities.
👉 Read Oasis Security's analysis of proactive versus reactive non-human identity security →
Proactive NHI governance: are detection-first controls keeping up?
Explore further
04/06/2026 6:53 pm
Visibility-first NHI programmes create a false sense of control: inventory, graphs, and monitoring matter, but they do not govern access on their own. The article is right that discovery is necessary, yet the discipline breaks when teams treat observation as remediation. The NIST Cybersecurity Framework 2.0 only becomes meaningful here when identify, protect, detect, and respond are connected to lifecycle enforcement. Practitioners should stop equating map coverage with risk reduction.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
A question worth separating out:
Q: How do AI agents change non-human identity governance?
A: AI agents turn NHI governance into a runtime control problem because they can take actions continuously and at machine speed. The key difference is not that they use tools, but that their access may need to be governed before, during, and after execution. That requires explicit scope, ownership, and shutdown conditions.
👉 Read our full editorial: Proactive NHI governance is overtaking reactive detection models
