TL;DR: Cloud security programmes are increasingly judged on identity security across humans, machines, and AI agents, according to 1Password. The governance challenge is no longer just access management, but continuous authorisation, credential visibility, and auditability across expanding workloads.
NHIMG editorial — based on content published by 1Password: 1Password becomes AWS Security Competency Partner
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should security teams govern non-human identities in AWS environments?
A: Treat every service account, token, and API key as a governed identity with an owner, purpose, review cycle, and revocation path.
Q: Why do AWS cloud environments increase NHI governance complexity?
A: AWS environments increase governance complexity because access is distributed across applications, pipelines, integrations, and now AI-assisted workflows.
Q: What breaks when organisations rely on point-in-time access reviews for cloud identities?
A: Point-in-time reviews miss the period between approval and use, which is where many cloud identity risks accumulate.
Practitioner guidance
- Build a single inventory for cloud and non-human identities Track service accounts, API keys, tokens, certificates, and agent identities in one ownership model so review, rotation, and revocation are not separated across teams.
- Tie every AWS credential to a named lifecycle owner Assign one accountable owner for provisioning, rotation, exception handling, and removal so no credential sits outside an explicit governance path.
- Verify that audit logs capture agent and workload actions Check that access logs show which identity acted, what resource was reached, and whether the action came from a human, workload, or AI agent.
What's in the full analysis
1Password's full article covers the operational detail this post intentionally leaves for the source:
- The AWS Competency context and designation criteria that explain why the announcement matters for cloud buyers.
- The 1Password platform positioning around discovery, secure access, and audit across human and AI agent identities.
- The customer example showing how device health, flexibility, and security requirements are balanced in practice.
- The partner and product resources that expand on unified access and SOC workflow automation.
👉 Read 1Password’s AWS Security Competency announcement for identity security context →
AWS Security Competency for 1Password: what changes for IAM teams?
Explore further
Cloud infrastructure protection is now an NHI governance problem, not a perimeter problem. The AWS Security Competency language matters because modern cloud environments are built on credentials, permissions, and workload trust paths rather than static network boundaries. Once access is distributed across human users, machine identities, and AI-assisted workflows, the control question becomes whether identity governance can still explain every privileged action. Practitioners should treat cloud security and NHI governance as one operating discipline.
A few things that frame the scale:
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who is accountable when a cloud credential is misused by an AI workflow?
A: Accountability should rest with the identity owner who approved the access, the team operating the workflow, and the governance process that allowed the credential to remain valid. AI does not remove accountability. It makes the ownership chain easier to inspect, which is why logs, approvals, and lifecycle records must align.
👉 Read our full editorial: 1Password’s AWS Security Competency raises NHI governance stakes