Notifications
Clear all
Topic starter
25/06/2026 3:09 pm
TL;DR: Enterprises need dynamic, policy-driven control for workload identities, AI agents, and other non-human identities rather than static, long-lived access, according to Aembit, and Fast Company named the company to its 2025 Best Workplaces for Innovators list as it argues that ephemeral access and zero standing privilege are becoming baseline governance assumptions, not advanced features.
NHIMG editorial — based on content published by Aembit: Fast Company recognises Aembit for workload identity and AI agent security
By the numbers:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should security teams govern workload identities in cloud environments?
A: Security teams should treat workload identity as a lifecycle problem, not just an authentication problem.
Q: Why do long-lived secrets create more risk for non-human identities?
A: Long-lived secrets create risk because they outlast the task, environment, or integration they were meant for.
Q: What breaks when organisations apply human IAM models to machine identities?
A: Human IAM models assume a user, a session, and a review cycle.
Practitioner guidance
- Inventory long-lived machine credentials Map every service account, API key, token, and certificate that still has access beyond a single task or deployment cycle.
- Move ephemeral access to the front of the design Require short-lived, policy-driven credentials for workloads that already have predictable execution windows.
- Separate service accounts from AI agent identities Do not manage agentic systems as if they were ordinary automation.
What's in the full analysis
Aembit's full article covers the operational detail this post intentionally leaves for the source:
- How the company positions dynamic control for workload identities across cloud and partner environments.
- The product framing behind policy-driven access for AI agents, applications, and service accounts.
- The vendor’s own explanation of how ephemeral access and zero standing privilege are meant to reduce operational overhead.
- The company background and recognition context behind the Fast Company listing.
👉 Read Aembit’s analysis of workload identity governance and AI agent access →
Workload identity governance: what Aembit’s recognition signals?
Explore further
25/06/2026 4:30 pm
Dynamic machine access is becoming a governance baseline, not an optimisation. The article’s core message is that static, long-lived access no longer fits how cloud workloads and AI agents operate. That is not simply a tooling issue, it is a lifecycle issue for non-human identities. Practitioners should treat ephemeral access as the default control expectation for modern machine identities.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: Who should own revocation when a workload or integration is retired?
A: Ownership should sit with the team that depends on the workload, not only with the platform group that created the credential. Revocation needs a named owner, a dependency inventory, and proof that the credential is invalid in every place it was used.
👉 Read our full editorial: Aembit’s workload identity focus signals the rise of NHI governance
