NHI governance gaps in CIEM: what practitioners should re-evaluate

TL;DR: Astrix’s recognition in KuppingerCole’s CIEM Leadership Compass underscores a broader problem: traditional CIEM and IGA controls still leave service accounts, OAuth integrations, secrets, and other non-human identities only partially governed, especially across SaaS and cloud environments. That gap is now a core identity security issue, not a side case, according to KuppingerCole and Astrix Security.

NHIMG editorial — based on content published by Astrix Security: recognition in KuppingerCole's Leadership Compass for Cloud Infrastructure Entitlement Management

By the numbers:

• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: What breaks when non-human identities are not included in CIEM scope?

A: CIEM becomes an incomplete visibility layer rather than a governance control.

Q: Why do non-human identities complicate access governance more than human accounts?

A: They are often created for technical convenience, not reviewed as business identities, and left active long after the original use case changes.

Q: How do security teams know if NHI governance is actually working?

A: Look for whether every machine identity has a named owner, a documented purpose, a clear expiry or rotation rule, and evidence of removal when no longer needed.

Practitioner guidance

• Inventory every non-human identity in the entitlement graph Pull service accounts, OAuth grants, API tokens, certificates, and automation secrets into the same inventory you use for human entitlements.
• Add delegated SaaS access to access review scope Include third-party OAuth applications, connected apps, and admin-consented integrations in periodic entitlement reviews.
• Enforce lifecycle controls on machine credentials Apply rotation, expiry, and offboarding workflows to secrets and service accounts with the same discipline used for human access.

What's in the full analysis

Astrix Security's full report covers the operational detail this post intentionally leaves for the source:

• Detailed capability mapping for discovering internal service accounts and external OAuth connections across SaaS and cloud
• The platform-level visibility and remediation workflow details behind real-time monitoring of non-human identities
• How the policy engine enforces least privilege and acceptable use rules for machine identities in day-to-day operations
• Integration coverage across Microsoft Entra ID, Okta, Google Workspace, public cloud platforms, and SaaS apps

👉 Read Astrix Security's analysis of CIEM gaps in non-human identity governance →

NHI governance gaps in CIEM: what practitioners should re-evaluate?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →