Notifications
Clear all
Topic starter
22/06/2026 10:08 am
TL;DR: Identity governance is shifting toward continuous background control rather than periodic human workflow, with Lumos saying its Identity Agent Force continuously governs access across human, machine, and AI identities, including access reviews, access requests, role mining, entitlement analysis, NHI ownership, and agent ownership.
NHIMG editorial — what this means for NHI practitioners
Questions worth separating out
Q: How should security teams govern access across human, NHI, and AI identities?
A: Security teams should govern all three through a shared lifecycle and policy layer, but with different operating rules for each actor type.
Q: Why do service accounts and AI agents create different identity governance problems?
A: Service accounts primarily create ownership, sprawl, and credential persistence problems, while AI agents also create runtime decision-making and exception-handling problems.
Q: What breaks when access reviews stay manual in fast-changing identity environments?
A: Manual reviews break when entitlement changes outpace the review cadence.
Practitioner guidance
- Map ownership for every non-human identity Inventory service accounts, API keys, tokens, and AI agents, then require a current human owner, escalation path, and lifecycle state for each.
- Convert periodic review into exception-based governance Reserve human approval for access cases the system cannot confidently certify.
- Refresh least-privilege roles from live usage data Mine actual permission usage across applications, compare it with assigned entitlements, and rebuild roles where access has drifted beyond task needs.
What's in the full announcement
Lumos' full article covers the operational detail this post intentionally leaves for the source:
- The specific operating model for the Access Review Agent, including how it certifies access and escalates exceptions.
- The way the Agent Ownership Finder maps humans to NHIs and AI agents before they are allowed to keep operating.
- The entitlement translation workflow that turns permissions into plain-language review context for approvers.
- The article's description of how continuous agentic governance connects to the vendor's IGA backbone and policy translation layer.
👉 Read Lumos' analysis of identity governance for human, NHI, and AI identities →
AI identity governance at machine speed: what changes for teams?
Explore further
22/06/2026 10:54 am
Human-centric identity governance is no longer the default operating model. The article’s core signal is that quarterly reviews, ticket queues, and manual certifications were designed for human-paced change, not for environments where humans, NHIs, and AI agents all mutate access at different speeds. That does not make the old model wrong, but it does make it incomplete for mixed estates. The practitioner conclusion is that access governance must be evaluated by actor type, not by one universal workflow.
A few things that frame the scale:
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means most identity programmes still lack a complete machine identity inventory.
A question worth separating out:
Q: Who should be accountable for non-human identities in an enterprise?
A: Accountability should sit with a named human owner for each non-human identity, supported by governance teams that enforce lifecycle rules and review exceptions. The owner is responsible for the identity’s purpose and removal, while the governance function ensures it remains visible, scoped, and auditable. Without that split, NHIs become orphaned risk.
👉 Read our full editorial: Lumos Identity Agent Force reframes access governance for AI
