Notifications
Clear all
Topic starter
25/06/2026 2:52 pm
TL;DR: Non-human identity security has become central to securing AI agents and workloads, as static credentials, just-in-time access, and identity-based audit gain prominence, according to Aembit. The underlying issue is not novelty in tooling, but the collapse of identity assumptions built for stable, reviewable access paths.
NHIMG editorial — based on content published by Aembit: its 2025 CyberSecurity Breakthrough Awards recognition for non-human identity security
By the numbers:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should security teams govern AI agents and workloads with runtime access decisions?
A: Treat AI agents and workloads as non-human identities whose access must be evaluated at the moment of use.
Q: Why do long-lived secrets create more risk for non-human identities than for human users?
A: Long-lived secrets are durable bearer tokens, so anyone who copies them can reuse them outside the intended task boundary.
Q: What do security teams get wrong about access reviews for service accounts and AI agents?
A: They often apply human-style review cadences to identities that change faster than the review cycle can observe.
Practitioner guidance
- Shift high-risk machine access to runtime policy enforcement Replace static allowlists and reused credentials for AI agents and workloads with policy checks executed at request time.
- Remove long-lived secrets from agent and workload paths Inventory where AI agents, scripts, and microservices still depend on durable credentials in code, config, or CI/CD.
- Tie every privileged access event to an identity and policy decision Ensure logs show the actor, the approved policy, the target resource, and the time of access.
What's in the full analysis
Aembit's full article covers the operational detail this post intentionally leaves for the source:
- How the runtime access enforcement flow is structured for AI agents and workloads
- The specific differences between secretless access tokens and traditional static credentials
- How identity-based audit supports compliance and ITDR workflows in practice
- Which access conditions Aembit says can be evaluated before authorization is granted
👉 Read Aembit’s award announcement on IAM for agentic AI and non-human identities →
Agentic AI access controls: what IAM teams need to know?
Explore further
25/06/2026 4:05 pm
Identity governance for AI agents is now a runtime problem, not a provisioning problem. The controls highlighted here point to a market shift away from static entitlement thinking and toward access decisions made at the moment of use. That aligns with OWASP-NHI and Zero Trust architecture, where trust is continuously evaluated rather than granted once and left in place. Practitioners should treat agent access as an always-on governance domain, not a one-time setup activity.
A few things that frame the scale:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to the Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: How do IAM and PAM teams reduce lateral movement through machine identities?
A: Start by eliminating standing access paths that let one machine identity reach many sensitive systems. Then bind privileged access to purpose, context, and shortest-possible duration, with logs that show which identity used which privilege and why. That combination reduces reuse, constrains blast radius, and improves incident investigation.
👉 Read our full editorial: Aembit award spotlights the IAM gap in agentic AI access
