Notifications
Clear all
Topic starter
24/06/2026 7:21 pm
TL;DR: AI agents and machine identities are pushing non-human identity risk beyond human-era IAM assumptions, according to Akeyless, with the company citing hundreds of billions of workload identity transactions annually and broad enterprise adoption. The governance break is that standing privileges and long-lived credentials no longer match runtime access decisions in agent-driven environments.
NHIMG editorial — what this means for AI and NHI governance
Questions worth separating out
Q: How should security teams govern AI agents that can act across multiple systems?
A: Security teams should govern AI agents as runtime identities, not as static accounts.
Q: Why do long-lived credentials create more risk for machine identities than for humans?
A: Long-lived credentials create more risk for machine identities because machines can act continuously, move faster, and reach more systems than a human can manually supervise.
Q: What breaks when identity governance is split between IAM, PAM, and secrets tools?
A: What breaks is the ability to see and revoke effective access as one chain.
Practitioner guidance
- Inventory agent and machine identities by runtime authority Classify every AI agent, workload identity, and service account by the systems it can reach, the tools it can invoke, and whether access is persistent or task-bound.
- Replace standing access with task-scoped access decisions Use just-in-time provisioning for identities that do not need durable access, and require explicit expiration for any cross-cloud or cross-system privilege.
- Unify federation and revocation across control planes Align IAM, PAM, and secrets workflows so that revocation in one layer actually removes effective access in the others, including federated agent sessions.
What's in the full announcement
Akeyless's full article covers the operational detail this post intentionally leaves for the source:
- The appointment context and ecosystem strategy narrative behind the CSO hire.
- Akeyless's description of its platform architecture, including distributed fragments cryptography and agentic runtime authority.
- The specific integration list across cloud providers, security tools, and enterprise platforms.
- The vendor's own framing of how its identity controls are applied across humans, machines, and AI agents.
👉 Read Akeyless's statement on AI-era identity strategy and ecosystem expansion →
AI agent identity risk and runtime access control: what changes now?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
25/06/2026 4:36 am
AI agent identity risk is really a runtime governance problem. The issue is not just that more identities exist. It is that traditional controls were built for access that persists long enough to be reviewed, certified, and revoked on a human cycle. When agents act at machine speed, governance has to follow the session, not the calendar. Practitioners should treat runtime access as the primary governance surface.
A few things that frame the scale:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
- Our research also shows that 97% of NHIs carry excessive privileges, which is why runtime scoping matters more than after-the-fact review.
A question worth separating out:
Q: When should organisations move from periodic review to runtime access control?
A: Organisations should move when identities can complete meaningful actions before the next review cycle would ever see them. If access can be created, used, and discarded within a short session, periodic certification is too slow to govern it. Runtime controls are necessary whenever the identity’s behaviour changes faster than the review process.
👉 Read our full editorial: Akeyless strategy hire underscores the shift to real-time identity control
