Notifications
Clear all
Topic starter
06/06/2026 2:01 am
TL;DR: Non-human identities now outnumber humans by 50 times, and rotation, revocation, and lifecycle control require full contextual visibility, according to Oasis Security. The core issue is not just secret sprawl, but the governance gap created when identity lifecycles outgrow human-centric access models.
NHIMG editorial — what this means for NHI practitioners
By the numbers:
- 50 times in modern enterprises., human identities by 50 times in modern enterprises.
- Only 5.7% of organisations have full visibility into their service accounts.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
Questions worth separating out
Q: How should security teams govern service account lifecycles at scale?
A: Start with inventory, ownership, and dependency mapping for every service account, API key, token, and certificate.
Q: Why do NHIs create more governance risk than human accounts?
A: NHIs are created in large numbers, often carry broad permissions, and frequently persist without the same lifecycle discipline applied to people.
Q: What breaks when organisations rotate secrets without visibility?
A: Rotation without visibility can break production workloads because teams do not know which systems depend on a credential or how widely it is reused.
Practitioner guidance
- Inventory all machine identities and their dependencies Build a complete map of service accounts, API keys, tokens, and certificates, including where each credential is used, which applications trust it, and who owns its lifecycle.
- Tie every non-human identity to an owner and retirement rule Require a named business or technical owner for each machine identity, plus an explicit condition for revocation or decommissioning.
- Separate rotation policy from operational readiness Do not shorten secret lifetimes until you can prove the affected workloads can tolerate change.
What's in the full announcement
Oasis Security's full blog post covers the operational detail this post intentionally leaves for the source:
- The company narrative behind the stealth exit and how the team frames the NHI category opportunity
- Direct commentary from early customers on the operational pain points that triggered interest
- The lifecycle-management angle the article says was missing from earlier NHI discussions
- The wider vision for how the vendor intends to position NHI governance over time
👉 Read Oasis Security’s post on emerging from stealth and NHI lifecycle governance →
NHI lifecycle management: what Oasis Security’s exit signals?
Explore further
06/06/2026 3:26 am
Non-human identity growth has turned lifecycle governance into the control plane for modern IAM. Once machine identities outnumber humans at large multiples, the traditional access-review model stops being the primary line of defence. The discipline shifts to whether organisations can continuously inventory, rotate, and revoke access across service accounts, secrets, and tokens. The practitioner conclusion is simple: NHI lifecycle governance is now a core identity security function, not an adjacent hygiene task.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to the same research.
A question worth separating out:
Q: Who is accountable for revoking unused machine identities?
A: Accountability should sit with the application owner, platform owner, or service owner who can confirm the identity is still needed. If no one can answer that question, the identity is already unmanaged. Mature programmes treat revocation as part of lifecycle ownership, not as an afterthought for security operations.
👉 Read our full editorial: Oasis Security’s stealth exit frames the NHI lifecycle gap
