Notifications
Clear all
Topic starter
08/06/2026 4:31 pm
TL;DR: Enterprises now manage 82 machine identities for every human user, and security teams are still focusing on mature domains while the highest-risk areas, especially AI and development, create the most ungoverned NHI sprawl, according to Clutch Security. Security investment is misaligned with where machine identity risk actually lives, so visibility, lifecycle control, and cross-domain governance have become the real control plane.
NHIMG editorial — based on content published by Clutch Security: Why 82% of Your Attack Surface Is Invisible to Your Security Team
By the numbers:
- Your organization now manages 82 machine identities for every human user.
Questions worth separating out
Q: How should security teams govern machine identities across business domains?
A: Start with ownership, business purpose, and expiry for each machine identity, then map those identities to the domain that created them.
Q: Why do AI and development environments increase NHI risk so quickly?
A: AI and development environments generate credentials at high speed and often place them in code, pipelines, or training workflows before security can review them.
Q: What breaks when organisations secure infrastructure but ignore NHI intent?
A: What breaks is the link between access and accountability.
Practitioner guidance
- Map machine identities to business domains Build a domain-level inventory that records creator, business purpose, privilege scope, system dependency, and expiry for every NHI.
- Prioritise AI and development secret discovery Start with the environments the article identifies as critical risk: AI workflows, source repositories, CI/CD pipelines, and developer workstations.
- Reduce standing access across trust chains Review OAuth grants, service account permissions, and vendor integrations for access that persists beyond the original business need.
What's in the full article
Clutch Security's full research covers the operational detail this post intentionally leaves for the source:
- The domain-by-domain risk matrix that breaks down AI, development, supply chain, production, user, and corporate IT exposure.
- The resource allocation math behind the claim that 60% of NHI security spend goes to only 15% of domain-level risk.
- The step-by-step executive action plan for 0-90 days, 3-12 months, and long-term transformation.
- The full research paper path from visibility gaps to cross-domain monitoring and automated orchestration.
👉 Read Clutch Security's analysis of enterprise NHI attack surface visibility gaps →
Enterprise attack surface visibility gaps: what IAM teams are missing?
Explore further
08/06/2026 6:13 pm
Machine identity visibility is now a governance failure, not just a tooling gap. The article is right to frame the problem as invisible attack surface, because the real issue is that many organisations do not know which NHIs exist, who created them, or when they should die. That is an OWASP-NHI and NIST CSF control problem, but also a lifecycle problem across provisioning, rotation, and offboarding. Practitioners should treat unknown machine identity populations as unmanaged risk, not background noise.
A few things that frame the scale:
- 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
A question worth separating out:
Q: Which frameworks should teams use to align NHI governance with risk?
A: Use OWASP NHI guidance for machine identity controls, NIST CSF for programme structure, and zero trust principles to reduce implicit trust between domains. These frameworks work best when teams apply them to lifecycle, ownership, and cross-domain access paths rather than to infrastructure labels alone.
👉 Read our full editorial: Why 82% of enterprise attack surface stays invisible to IAM
