Notifications
Clear all
Topic starter
06/06/2026 1:53 am
TL;DR: Non-human identities outnumber human identities by 20x on average, with visibility, rotation, ownership, and attestation now treated as core controls rather than optional hygiene, according to Oasis Security’s first-year summary. Traditional human-centric IAM models are too rigid for fragmented cloud identity perimeters and automated workload access.
NHIMG editorial — what this means for NHI practitioners
By the numbers:
- NHIs are everywhere, they outnumber human identities by a factor 20x on average, are highly privileged, and often unmanaged.
Questions worth separating out
Q: How should security teams govern service accounts and API keys across cloud platforms?
A: Treat them as lifecycle-managed identities, not static credentials.
Q: Why do NHIs complicate zero trust architecture?
A: Zero trust assumes every access request can be evaluated continuously, but NHIs often spread across pipelines, vaults, applications, and cloud services with incomplete context.
Q: What breaks when NHI visibility is limited to inventory alone?
A: Teams can count identities without understanding their permissions, consumers, or business purpose.
Practitioner guidance
- Inventory identities across cloud and SaaS boundaries Build a canonical map that links each service account, token, API key, and database user to its parent system, owner, and downstream consumers.
- Correlate usage with ownership and entitlements Join audit logs, vault events, IdP metadata, and application telemetry so every NHI can be attested against real use.
- Automate stale NHI decommissioning Detect inactive or unconsumed identities, verify they are no longer required, and remove them through a controlled decommissioning workflow.
What's in the full announcement
Oasis Security's full blog covers the operational detail this post intentionally leaves for the source:
- Hundreds of product changes shipped in the first year, including the specific platform areas expanded for enterprise readiness.
- The full visibility model across Azure, AWS, GCP, Active Directory, and Okta, plus the additional secret sources integrated into the platform.
- The automated playbooks for stale account decommissioning, secret rotation, and overprivileged NHI remediation.
- The compliance reporting approach for PCI 4.0, NIST, and SOC 2, including how the platform packages evidence for audits.
👉 Read Oasis Security’s first-year review of NHI Security Cloud capabilities →
Oasis NHI Security Cloud’s first year: what changed for IAM teams?
Explore further
06/06/2026 3:15 am
Identity perimeter fragmentation is now a governance problem, not an inventory problem. Once each cloud and SaaS service behaves like a separate identity provider, centralized review loses line of sight over machine identities. That means the programme cannot rely on a single authoritative directory to tell it what exists or who owns it. Practitioners should treat cross-platform identity correlation as the new baseline for NHI governance.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which explains why lifecycle control so often lags behind discovery.
A question worth separating out:
Q: How can teams reduce risk from stale non-human identities?
A: Use automated detection, verification, and safe decommissioning workflows for accounts and secrets that are no longer in use. Pair that with ownership reassignment and revocation evidence so the leaver process is visible, auditable, and repeatable across infrastructure and platform teams.
👉 Read our full editorial: Oasis Security's first year shows why NHI governance needs new controls
