Notifications
Clear all
Topic starter
25/06/2026 5:25 pm
TL;DR: Identity programmes are converging on one governance plane for workforce, machine, and agentic access, with an AI-powered identity platform now spanning human access, non-human access, JIT, MCP, and ISPM for AI agents, according to Saviynt. The practical signal is that separation is becoming harder to defend.
NHIMG editorial — based on content published by Saviynt: its newsroom overview of AI-powered identity platform coverage
By the numbers:
- Over 100 million identities protected, and counting!
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: How should security teams govern human, machine, and AI agent access together?
A: Security teams should govern them through one lifecycle model while preserving separate ownership, scope, and review rules for each identity type.
Q: Why do non-human identities complicate traditional IAM programmes?
A: Non-human identities complicate IAM because they often outnumber human identities, hold broad permissions, and operate outside normal joiner-mover-leaver processes.
Q: When does just-in-time access fail as an NHI control?
A: Just-in-time access fails when the standing privilege underneath it remains broad, poorly owned, or rarely reviewed.
Practitioner guidance
- Inventory all non-human access paths Catalogue service accounts, API keys, workload identities, and AI agent credentials in one register so you can see where access overlaps with human permissions.
- Separate JIT grants from standing entitlements Review whether time-bound access is still backed by persistent privilege underneath.
- Map MCP-connected tools to privileged surfaces Treat every tool exposed to an AI agent through MCP as a controlled access point with ownership, policy, and logging.
What's in the full article
Saviynt's full newsroom page covers the product and platform detail this post intentionally leaves at the governance level:
- How Saviynt groups human identity, non-human identity, JIT, and AI agent capabilities within its platform messaging
- The specific solution areas named on the page, including Identity Security Posture Management and Privileged Access Management
- The product and business context behind the platform's positioning across applications, data, and business processes
👉 Read Saviynt's newsroom overview of identity platform coverage for human and non-human access →
Saviynt’s NHI platform focus: what it means for IAM teams?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
25/06/2026 6:04 pm
The real signal here is identity convergence, not product breadth. When a platform describes governance for human access, non-human access, JIT, MCP, and AI agents in one place, it reflects where enterprise identity programmes are heading. The field is moving from separate point problems toward a unified control plane that still has to respect different identity behaviours. Practitioners should read that as a governance architecture issue, not a feature checklist.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: What should teams do when AI agents can invoke tools through MCP?
A: Teams should treat MCP-connected tools as privileged access points and define which actions the agent may initiate, which data sources it may reach, and when approval is required. The goal is to prevent an agent from turning broad tool discovery into broad authority. Logging and ownership should be explicit for every exposed tool.
👉 Read our full editorial: Saviynt’s identity platform underscores growing NHI governance scope
