Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Identity risk growth at Axiad: what it means for IAM teams


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9439
Topic starter  

TL;DR: Identity risk now spans human users, machines, non-human identities, and emerging AI agents, and its unified visibility approach is aimed at helping teams quantify and reduce attack surface, according to Axiad. The real issue is not staffing news but the widening gap between identity sprawl and governance models built for slower, human-paced access reviews.

NHIMG editorial — based on content published by Axiad: Axiad appoints Jay Carpenter chief revenue officer to lead next phase of enterprise growth

By the numbers:

Questions worth separating out

Q: How should security teams govern machine and AI identities alongside human accounts?

A: Security teams should govern machine and AI identities with the same lifecycle discipline used for humans, but with controls adapted to runtime behaviour.

Q: Why do machine identities increase identity risk in enterprise environments?

A: Machine identities increase risk because they often outnumber human accounts, carry broad privileges, and are harder to inventory accurately.

Q: What do teams get wrong when trying to reduce identity attack surface?

A: Teams often focus on the existence of identities instead of the reach and privilege those identities create.

Practitioner guidance

  • Inventory all non-human identities as first-class assets Build a complete register of service accounts, API keys, certificates, tokens, and AI-linked identities with owners, purpose, and system dependencies.
  • Prioritise identities by blast radius Score identities by privilege scope, cross-system reach, and likelihood of misuse so remediation work focuses on the highest-exposure accounts first.
  • Extend lifecycle controls to machine and AI identities Apply issuance, review, rotation, and offboarding processes to service accounts and agentic workloads, not only humans.

What's in the full analysis

Axiad's full report covers the operational detail this post intentionally leaves for the source:

  • How Axiad Mesh maps identity visibility and quantified risk across users, devices, machines, and AI agents
  • Details on how the platform frames identity risk analysis for enterprise buying and security operations
  • Product-level context on Axiad Conductor and Axiad Confirm, including how the vendor positions credential management and identity verification
  • The company background, customer retention context, and executive commentary around the new CRO appointment

👉 Read Axiad’s announcement on identity risk visibility and enterprise growth →

Identity risk growth at Axiad: what it means for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8923
 

Identity visibility has become the first control plane, not an adjunct control. Traditional IAM programmes were built to manage known users and predictable lifecycle events, but the article reflects a broader operating reality where machine and AI identities now materially expand the attack surface. When identity sprawl outruns inventory quality, the programme loses the ability to distinguish benign access from latent exposure. Practitioners should treat visibility as the foundation for every downstream control decision.

A few things that frame the scale:

  • 95% customer retention rate, according to Axiad's published material on its identity security platform and customer base.
  • Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.

A question worth separating out:

Q: Who should be accountable for orphaned service accounts and AI identities?

A: Accountability should sit with the system owner or business service owner, not only with the central IAM team. IAM can set the process, but operational ownership is required to validate purpose, approve continued use, and remove access when the workload or workflow ends. Without named ownership, revocation and review become optional.

👉 Read our full editorial: Axiad’s CRO hire signals a broader push into identity risk



   
ReplyQuote
Share: