Notifications
Clear all
Topic starter
14/05/2026 4:43 pm
TL;DR: GitGuardian is using My Security Event Munich 2026 on 2026-11-17 as a venue for closed-door CISO discussions about the identity risks behind non-human access, with the post emphasising that the real issue is governance depth, not conference visibility. The analyst position is that NHI controls belong in executive security conversations because autonomous access patterns now outpace traditional IAM review cycles.
NHIMG editorial — here’s why we think this discussion matters
By the numbers:
- 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so.
Questions worth separating out
Q: How should security teams govern non-human identities in enterprise environments?
A: Security teams should inventory every non-human identity, assign a human owner, define the business purpose, and set an expiry or review cadence.
Q: When does AI agent access become a governance risk instead of an automation benefit?
A: AI agent access becomes a governance risk when the agent can act beyond a single task, reuse credentials, or reach systems that were never explicitly approved for that workflow.
Q: What is the difference between secret rotation and NHI governance?
A: Secret rotation changes credentials on a schedule, while NHI governance addresses who owns the identity, what it may access, how long it may exist, and how much damage it can do if abused.
Practitioner guidance
- Inventory all non-human identities by business owner Build a complete list of service accounts, API keys, certificates, and agent identities with named owners, expiry dates, and system dependencies.
- Separate creation approval from runtime authorization Require short-lived access and continuous authorization checks for automated workloads, especially where AI agents can invoke tools or chain tasks.
- Measure identity blast radius before an incident does Review what each NHI can reach, which downstream systems trust it, and how quickly credentials can be revoked without breaking production.
The right response is to treat NHI as a lifecycle problem, not a tooling problem, and to align policy with identity ownership, revocation, and review?
👉 Register for GitGuardian's My Security Event Munich 2026 page →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
14/05/2026 4:45 pm
A few things worth adding from our research at NHI Mgmt Group.
NHI governance belongs in the same room as executive security decisions. Closed-door CISO forums are a reminder that NHI risk is not just an engineering hygiene issue. It affects incident response, auditability, and operational resilience, so governance leaders need to treat it as a board-visible control problem. The practitioner conclusion is straightforward: if NHI is absent from executive risk discussions, the organisation is already behind.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: How can organisations reduce the blast radius of compromised service accounts and agents?
A: Organisations reduce blast radius by limiting entitlements, shortening credential lifetime, separating duties, monitoring usage, and revoking access quickly when behaviour changes. The practical goal is to make any single compromised identity useful for as little time and for as few systems as possible.
👉 Read our full editorial: NHI governance takes center stage at My Security Event Munich 2026
