Notifications
Clear all
Topic starter
22/06/2026 10:02 am
TL;DR: Zero trust breaks down for service accounts, API keys, OAuth tokens, IAM roles, secrets, and AI agents when the underlying identity is invisible, unowned, or over-permissioned, according to Oasis Security. The governance gap is no longer theoretical: policy enforcement without identity ownership and lifecycle control cannot secure machine-to-machine traffic.
NHIMG editorial — based on content published by Oasis Security: Extending Zero Trust to Non-Human and Agentic Identities
Questions worth separating out
Q: How should security teams extend zero trust to non-human identities?
A: Start by treating identity governance as part of the zero trust control model.
Q: Why do non-human identities create gaps in zero trust programmes?
A: They create gaps because zero trust assumes each request can be tied to a governed identity.
Q: What breaks when AI agents are given access without ownership and expiry?
A: The governance model breaks first.
Practitioner guidance
- Map every non-human identity to an owner and lifecycle state. Build an inventory that links service accounts, API keys, OAuth tokens, IAM roles, secrets, and agents to a named business or technical owner, then flag anything orphaned or unreviewed.
- Tighten standing access before extending inline control. Review whether tokens, roles, and secrets already carry broad access that makes policy enforcement secondary.
- Treat agent access as governed runtime behaviour. Define which tools an agent may call, who approves its scope, and what event triggers revocation.
What's in the full article
Oasis Security's full blog covers the operational detail this post intentionally leaves for the source:
- How the Oasis and Zscaler integration maps discovery, governance, and inline policy into a single workflow
- Which identity attributes the control plane uses to attribute ownership, risk, and lifecycle status
- How Agentic Access Management is positioned inside the broker path for AI agents and MCP servers
- Where the joint model distinguishes governance of the identity from enforcement of the connection
👉 Read Oasis Security's analysis of extending zero trust to non-human and agentic identities →
Zero trust for non-human identities: what changes for IAM teams?
Explore further
22/06/2026 10:44 am
Zero trust for NHIs is a governance problem before it is an enforcement problem. Policy engines can only make meaningful decisions when the underlying identity is visible, owned, and lifecycle-managed. That is why machine traffic breaks many zero trust programmes: the connection is authenticated, but the identity behind it is not governed with the same discipline as a human account. The implication is that zero trust architectures need an NHI governance layer, not just more inspection points.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to the State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, which shows how far governance still lags behind access complexity.
A question worth separating out:
Q: Who should be accountable for governing machine and agentic identities?
A: Accountability should sit with the teams that own the identity lifecycle, not only with network enforcement teams. IAM, PAM, and NHI owners need to define who creates the identity, who approves its scope, who reviews its access, and who revokes it when the use case ends. Zero trust only works when those responsibilities are explicit.
👉 Read our full editorial: Extending zero trust to non-human and agentic identities
