Notifications
Clear all
Topic starter
14/05/2026 5:37 pm
TL;DR: AI agents, service accounts, API keys, bots, and cloud workloads now outnumber human identities by up to 50x, while 91% of CISOs report limited to no visibility into AI agents, according to Saviynt. Baseline posture management is no longer a budget choice when exposure can accumulate faster than teams can see it.
NHIMG editorial — what this means for NHI practitioners
By the numbers:
- Service accounts, API keys, bots, cloud workloads, and AI agents now outnumber human identities by up to 50x.
- 91% of CISOs report limited to no visibility into AI agents.
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should security teams govern AI agents alongside other non-human identities?
A: Treat AI agents as a class of non-human identity with lifecycle ownership, access review, and revocation requirements.
Q: Why do AI agents complicate zero trust architecture?
A: AI agents complicate zero trust because they can operate continuously, call multiple tools, and hold credentials that outlive the task they were meant to perform.
Q: What is the difference between service account governance and AI agent governance?
A: Service account governance usually focuses on static machine access, while AI agent governance must account for autonomous action, tool use, and changing context.
Practitioner guidance
- Make AI agents first-class identities in inventory systems Tag agents, service accounts, API keys, and workload identities in the same inventory so discovery, ownership, and review are not split across tools.
- Map access paths to sensitive resources Document which identities can reach crown-jewel systems, through which roles, tokens, and inherited permissions.
- Enforce continuous posture monitoring for drift Track changes in privilege, exposure, and ownership as a standing control.
Teams should use exposure mapping to prioritise the accounts that can actually reach sensitive systems, then narrow standing access before expanding automation?
👉 Read Saviynt's post on no-cost posture management for AI agents and NHIs →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
14/05/2026 5:39 pm
A few things worth adding from our research at NHI Mgmt Group.
Baseline coverage for AI agent identities is becoming the new governance floor. Treating posture management as a premium add-on means the identities with the fastest growth often receive the weakest oversight. That creates a structural blind spot in IAM programmes, especially when autonomous software can take actions without human prompts. Practitioners should assume agent coverage is incomplete until discovery proves otherwise.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to the Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: When should organisations prioritise posture management for NHIs and AI agents?
A: Prioritise it before large-scale deployment, not after incidents or budget reviews. If visibility is limited, excess privilege and stale credentials will accumulate faster than teams can remediate them. Baseline discovery and exposure mapping should come before expansion, because they reduce the size of the blind spot that attackers exploit.
👉 Read our full editorial: AI agent and NHI posture management should be baseline coverage
