2025 CISO planning: are your NHI and ZTA controls ready?

TL;DR: 2025 CISO planning will be shaped by non-human identities, zero trust, compliance, and supply chain risk, as NHIs proliferate and traditional perimeter models fall short, according to Entro Security. The real issue is that access governance, review, and rotation assumptions were built for slower human-paced systems, not sprawling machine identities.

NHIMG editorial — based on content published by Entro Security: How CISOs should prepare for 2025

By the numbers:

• NHIs outnumber human identities by 25x to 50x in modern enterprises.
• Only 5.7% of organisations have full visibility into their service accounts.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.

Questions worth separating out

Q: How should security teams govern non-human identities in zero trust environments?

A: Start by treating every service account, API key, token, and certificate as a first-class identity with ownership, purpose, and expiry.

Q: Why do service accounts and API keys create so much supply chain risk?

A: They create supply chain risk because they often grant valid downstream access without requiring a human login.

Q: How do you know if NHI rotation and offboarding are actually working?

A: Look for evidence that secrets are retired quickly, owners can be identified immediately, and old credentials cannot still authenticate after the intended task ends.

Practitioner guidance

• Inventory machine identities across code, pipelines, and collaboration tools Build a complete map of service accounts, API keys, tokens, and certificates, including where they are stored and which systems depend on them.
• Tie every NHI credential to an owner and expiry rule Require a business or technical owner for every secret, plus a documented reason for existence and a revocation trigger.
• Reduce blast radius on third-party access tokens Constrain externally shared credentials to a single task, shortest feasible lifetime, and the narrowest reachable systems.

What's in the full article

Entro Security's full blog covers the operational detail this post intentionally leaves for the source:

• The article's full treatment of zero trust controls for NHIs across code, repositories, and collaboration tools
• The vendor's practical compliance checklist for SaaS, fintech, and healthcare identity environments
• The supply chain risk discussion around third-party NHI exposure and delegated access patterns
• The closing perspective on how CISOs should prioritise 2025 security work across identity, compliance, and automation

👉 Read Entro Security's 2025 CISO guidance on NHI, ZTA, and supply chain risk →

2025 CISO planning: are your NHI and ZTA controls ready?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →