Notifications
Clear all
Topic starter
25/06/2026 5:24 pm
TL;DR: Identity programmes now have to govern machine and agent behaviour alongside human access, with no room for legacy lifecycle assumptions, according to Saviynt. Saviynt positions its identity platform around governance for human and non-human access, including NHI, JIT access, and AI agent controls, while claiming support for over 100 million identities protected.
NHIMG editorial — based on content published by Saviynt: newsroom coverage of identity governance, NHI, and AI agent access
By the numbers:
- Over 100 million identities protected, and counting.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
Questions worth separating out
Q: How should security teams govern human, NHI, and AI agent access differently?
A: Security teams should use separate control logic for each actor type.
Q: Why do just-in-time controls not solve NHI governance on their own?
A: JIT reduces standing privilege, but it does not fix where secrets live, who can still use them, or whether third parties still retain access.
Q: What breaks when AI agents can choose tools at runtime?
A: Traditional entitlement models assume permissions are known before execution starts.
Practitioner guidance
- Separate governance by actor type Define distinct control paths for human users, NHIs, and AI agents instead of forcing one access review workflow across all three.
- Inventory delegated access paths Map where service accounts, API keys, tokens, and agent tool connections exist across applications and business processes.
- Test revocation against the full lifecycle Validate that access can be withdrawn at the point of offboarding, credential rotation, contract change, or agent decommissioning.
What's in the full article
Saviynt's full newsroom coverage covers the operational detail this post intentionally leaves for the source:
- How the platform segments governance across human access, non-human access, and AI agent use cases.
- What Saviynt means by JIT access, identity security posture management, and MCP server support in operational terms.
- How the product set is positioned across machine identities, application access governance, and privileged access management.
- Which customer and partner references are used to support the newsroom claim set.
👉 Read Saviynt's newsroom coverage of human and non-human identity governance →
AI agent identity governance: what Saviynt's platform update signals?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
25/06/2026 6:04 pm
Identity security is becoming a multi-actor governance problem, not a single-control problem. Platforms that claim coverage across human and non-human access are responding to the real operational issue: one identity model no longer fits workforce users, service accounts, and AI agents. The governance burden is now to align discovery, entitlement, and revocation across actors with different decision patterns. Practitioners should stop assuming that one access review process can govern all three equally.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: Who should own offboarding when machine or agent access is involved?
A: Ownership should sit with the team that can actually revoke the credential or delegation, not just the team that requested it. For NHIs and agents, that may include platform owners, application teams, and identity governance. If no one owns revocation, the access outlives the business purpose.
👉 Read our full editorial: Saviynt's identity platform and the rise of AI agent governance
