Notifications
Clear all
Topic starter
14/05/2026 6:53 pm
TL;DR: Growing organisations accumulate identity risk faster than manual governance can absorb it, especially through acquisitions, rapid hiring, and AI tool adoption that create service accounts, API keys, and OAuth connections outside IT control, according to Clarity Security. The operational question is no longer whether to automate lifecycle governance, but whether the program can see and revoke every identity fast enough to keep least privilege real.
NHIMG editorial — based on content published by Clarity Security: Growing with the Business vs. Reacting to Change: What a Scalable Identity Security Program Actually Looks Like
By the numbers:
- The average enterprise already carries a 144:1 ratio of non-human to human identities before an acquisition adds another institution’s environment on top of it.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
Questions worth separating out
Q: How should security teams govern non-human identities created during business growth?
A: Security teams should govern non-human identities with the same lifecycle discipline they apply to human access, but with tighter discovery and revocation controls.
Q: When does ticket-based access management become too slow for NHI governance?
A: Ticket-based access management becomes too slow once growth events create identities faster than humans can review them.
Q: What is the difference between human identity lifecycle management and NHI lifecycle management?
A: Human identity lifecycle management is usually tied to HR events, while NHI lifecycle management must also cover machine-created credentials, integrations, and service accounts that have no manager or employee record.
Practitioner guidance
- Automate lifecycle triggers for all identity changes Tie provisioning, role changes, and offboarding to authoritative sources so access changes happen when the business event happens, not when a ticket is filed.
- Inventory every non-human identity after growth events Run post-acquisition and post-integration discovery for service accounts, API keys, OAuth grants, certificates, and workflow accounts before the environment is merged into steady-state operations.
- Enforce ownership for every NHI Assign a named business or technical owner to each credential, integration, and service account so expired use cases can be removed without guesswork.
The programme implication is clear: discovery, ownership, and revocation need to become continuous controls, not audit-season tasks?
👉 Read Clarity Security's analysis of scalable identity security for business growth →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
14/05/2026 6:54 pm
Business growth is now an identity security event. Mergers, hiring surges, and AI adoption all create new access objects faster than traditional governance cycles can reconcile them. That means identity security can no longer be treated as a back-office control that catches up later. Practitioners should treat every growth event as a governance trigger, not a follow-on remediation project.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which explains why cleanup lags even when teams know the problem exists.
A question worth separating out:
Q: Why do AI tools create new identity risk for IAM teams?
A: AI tools create identity risk because they often connect to business systems through API keys, OAuth grants, or service accounts that persist beyond the pilot phase. Those credentials can bypass normal provisioning workflows and remain active after the team forgets the integration. IAM teams need discovery and policy gates before the connection becomes shadow AI.
👉 Read our full editorial: AI agent identity growth outpaces scalable identity security programs
