TL;DR: Enterprises face proliferating AI agents, over-privileged service accounts, and continuous access risk as governance shifts from periodic review to continuous identity action, forcing IAM teams to rethink human, NHI, and autonomous controls together, according to Linx Security.
NHIMG editorial — what this means for AI and NHI governance
By the numbers:
- Non-human identities now outnumber human ones by 25x to 50x in modern enterprises.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: How should security teams govern AI agents alongside human and non-human identities?
A: Treat AI agents as part of the identity control plane, not as a separate innovation project.
Q: Why do periodic access reviews fail for modern identity environments?
A: Periodic reviews fail because access changes faster than the review cycle.
Q: What breaks when non-human identities are not treated as first-class identities?
A: Ownership, lifecycle management, and revocation break first.
Practitioner guidance
- Map governance latency across identity types Measure how long it takes to detect, review, and revoke access for human accounts, service accounts, and AI-driven workflows.
- Inventory identities by lifecycle state Classify each identity as active, dormant, orphaned, or machine-owned, and require a named owner for every non-human identity.
- Separate certification from remediation Do not assume an access review closes the loop.
What's in the full announcement
Linx Security's full company update covers the operational detail this post intentionally leaves for the source:
- The funding context behind the Series B and the market signals Linx says it is reading from enterprise demand
- A closer look at Linx Autopilot as a product concept, including how the company describes continuous governance workflows
- The company's own explanation of how AI-native architecture differs from legacy IGA operating models
- The customer-facing roadmap and webinar material tied to the new identity governance positioning
👉 Read Linx Security's company update on the Series B and AI-native IGA →
AI-native IGA and autonomous identity governance: what changes now?
Explore further
AI-native IGA is really a response to governance latency, not a new theory of identity. The underlying problem is that periodic review models cannot keep pace with identities that are created, consumed, and retired continuously. When the environment includes humans, NHIs, and AI agents, the old assumption that access can be governed in batches stops holding. Practitioners should read this as a category shift from review-centric governance to continuous identity control.
A few things that frame the scale:
- Non-human identities now outnumber human ones by 25x to 50x in modern enterprises, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why governance tools that assume a complete inventory routinely underperform.
A question worth separating out:
Q: When should teams move from periodic governance to continuous identity control?
A: Teams should move when identity activity is too frequent or too distributed for manual certification to keep up. A continuous model is justified when cloud sprawl, machine accounts, or AI workflows create access changes faster than reviewers can inspect them. In that case, governance based on batch approvals is already behind the risk.
👉 Read our full editorial: AI-native IGA changes the governance model for human, machine, and AI identities