Notifications
Clear all
Topic starter
27/06/2026 1:32 pm
TL;DR: Non-human identities now outnumber human identities by more than 100 to one in many enterprise environments, while most organisations still lack systematic governance for service accounts, API keys, OAuth tokens, and AI agents, according to Clarity Security. Access that compounds over time is turning NHI oversight into a structural identity problem, not a niche operations issue.
NHIMG editorial — here’s why we think this discussion matters
By the numbers:
- Non-human identities now outnumber human ones by more than 100 to one in many enterprise environments.
Questions worth separating out
Q: What breaks when organisations treat non-human identities like ordinary app accounts?
A: Ownership, review, and offboarding break first.
Q: Why do service accounts and API keys create outsized governance risk?
A: They create outsized risk because they are easy to reuse, hard to trace, and often hold more privilege than the workload actually needs.
Practitioner guidance
- Inventory non-human identities by owner and purpose Build a register that separates service accounts, API keys, OAuth grants, certificates, and AI agent identities by business owner, technical owner, and expiry date.
- Map agent permissions to task-specific scopes For any AI agent in production, define the exact tools, data sources, and execution boundaries it may use, then block anything outside that task scope.
- Shorten credential lifecycle for machine access Rotate or revoke long-lived machine credentials on a schedule tied to business need, not convenience.
What to expect at the briefing
Clarity Security's live webinar covers the operational detail this post intentionally leaves for the source:
- Live discussion between Alexis Moyse and Lalit Choda on the current state of NHI governance and where practitioners still struggle.
- Practical commentary on how AI agents change identity governance assumptions across access, ownership, and lifecycle.
- Discussion of regulatory scrutiny around non-human identities and what readiness looks like in real programmes.
- Forward-looking view on where NHI and AI identity governance is heading over the next two to three years.
👉 Register for Clarity Security's live webinar on NHI and AI identity governance →
AI agent and NHI governance gaps are widening: what now?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
27/06/2026 2:55 pm
Non-human identity governance is now a core identity architecture problem, not a niche security add-on. Service accounts, API keys, tokens, and agent identities now sit inside the same access graph as human users, but they are created and consumed at machine speed. That means traditional IGA and PAM assumptions about ownership, review cadence, and offboarding no longer hold cleanly. Practitioners should treat NHI governance as a baseline control plane, not a special case.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: What should organisations do before expanding AI agent deployments?
A: They should define agent-specific identity controls before scaling. That means narrowing tool access, documenting delegated permissions, assigning ownership, and deciding how agent activity will be reviewed or terminated. If those controls are built after rollout, the organisation will inherit a much larger identity surface than it can govern confidently.
👉 Read our full editorial: AI agent and NHI governance is outpacing IAM controls
