Notifications
Clear all
Topic starter
12/06/2026 9:19 pm
TL;DR: NHIs now outnumber humans by 10 to 50 times and often carry broader access to sensitive data, which leaves most enterprises with visibility, rotation, and lifecycle gaps, according to Oasis Security. The real issue is not just scale, but the mismatch between NHI behaviour and IAM, PAM, and secret management tools built for human-paced controls.
NHIMG editorial — what this means for IAM teams
By the numbers:
- NHIs now outnumber humans by a factor of 10-50x, and constitute a massive attack surface that needs to be secured.
Questions worth separating out
Q: What breaks when NHI lifecycle governance is not in place?
A: When NHI lifecycle governance is weak, organisations lose visibility into ownership, purpose, privilege scope, and retirement.
Q: Why do non-human identities increase blast radius in cloud environments?
A: Non-human identities often carry broader and more persistent permissions than human users because they are built to keep systems running.
Q: How do security teams know if NHI rotation is actually working?
A: Rotation is working when teams can prove that credentials are replaced on schedule, dependencies are updated without manual exceptions, and old credentials are no longer usable.
Practitioner guidance
- Map every NHI to a named owner and consuming system Create an authoritative inventory that records who owns each service account, token, key, or role, what system uses it, and which data or infrastructure it can reach.
- Right-size privileges before expanding automation Review the permissions attached to long-lived identities and reduce any access that is broader than the current workload requires.
- Build lifecycle checkpoints into developer and ops workflows Embed creation, rotation, and decommissioning steps into the systems that provision NHIs so the process is not dependent on manual tickets.
What's in the full announcement
Oasis Security's full blog post covers the operational detail this post intentionally leaves for the source:
- The platform's agentless connection model across AWS, Azure, GCP, SaaS, and on-premise systems.
- The Posture and Remediation Intelligence workflow for discovery, severity scoring, and generated remediation plans.
- Examples of how Oasis says it classifies vulnerabilities and operationalises rotation, rightsizing, and stale NHI removal.
👉 Read Oasis Security's announcement on non-human identity management →
NHI lifecycle governance gap: what IAM teams are missing?
Explore further
12/06/2026 11:18 pm
NHI lifecycle governance has become the control plane, not the cleanup task. The article is right to frame discovery, remediation, and lifecycle automation as one problem, because NHI risk does not end at vaulting credentials. What matters is whether an organisation can prove ownership, privilege scope, and retirement for every machine identity. Security teams should treat lifecycle governance as a first-class operating model, not a backlog item.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, which is why governance programmes need more than secrets storage.
A question worth separating out:
Q: Who should be accountable for third-party NHI access?
A: Accountability should sit with the business and technical owners who can prove why the external identity exists, what it can access, and when it should be removed. Third-party NHI access is not a set-and-forget integration. It needs named ownership, review dates, and offboarding logic so the access does not outlive the relationship or the operational need.
👉 Read our full editorial: Non-human identity management now needs lifecycle governance
