Notifications
Clear all
Topic starter
09/06/2026 11:13 pm
TL;DR: Non-human identities such as service accounts, APIs, bots, and machine identities are now the fastest-growing and least governed attack surface in most organisations, according to Delinea, with visibility gaps and overprivilege pushing the issue into board-level risk. The governance model breaks when access outgrows review, accountability, and audit controls.
NHIMG editorial — here’s why we think this discussion matters
Questions worth separating out
Q: How should security teams reduce risk from unmanaged non-human identities?
A: Start by inventorying every service account, API key, certificate, bot, and machine identity, then assign an accountable owner and review date.
Q: Why do non-human identities increase audit and compliance exposure?
A: They often operate outside the lifecycle processes used for people, so ownership, approvals, and recertification are inconsistent.
Practitioner guidance
- Inventory every non-human identity Create a current register of service accounts, APIs, bots, certificates, and machine identities, then assign an owner, business purpose, and expiry or review date to each one.
- Remove standing excess privilege Review privileged entitlements on machine identities and eliminate permissions that are not needed for the live workflow, especially cross-environment access that widens blast radius.
- Separate human approval from machine execution Record the approval source, the executing identity, and the target system for every privileged workflow so auditors can trace how access moved through the hybrid chain.
What to expect at the briefing
Delinea's full webinar covers the operational detail this post intentionally leaves for the source:
- Practical examples of how enterprises inventory service accounts, APIs, bots, and machine identities across hybrid estates
- A phased control approach for reducing unmanaged credentials and overprivileged access without stopping current programmes
- Guidance on aligning PAM and IAM evidence with DORA, NIS2, ISO 27001, and SOC 2 expectations
- Insight from real enterprise environments managing identity complexity at scale
👉 Register for Delinea's webinar on NHI and AI-driven access risk →
NHI and AI-driven access risk: what IAM teams need to change?
Explore further
10/06/2026 1:29 am
Non-human identity sprawl is now a governance problem, not a tooling problem. The central issue is not simply that organisations have more secrets. It is that service accounts, API credentials, bots, and machine identities are being created faster than control ownership and review processes can keep up. That means IAM and PAM teams are inheriting an attack surface whose size is dictated by delivery speed, not by governance design. Practitioners should treat inventory quality as a security control, not an administrative task.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- 46% confirmed a non-human identity breach and 26% suspected one, which shows how often governance gaps remain partially invisible until after the event.
A question worth separating out:
Q: How should organisations balance AI adoption with identity governance?
A: Treat AI and automation as access design problems from the start, not after deployment. If a workflow needs machine access, define the accountable owner, the privilege boundary, and the logging path before it goes live. That approach reduces compliance exposure without forcing a large-scale programme reset.
👉 Read our full editorial: NHI and AI-driven access are becoming a board-level risk
