Notifications
Clear all
Topic starter
12/05/2026 5:44 pm
TL;DR: Non-human identities outnumber human identities by 92:1 in a typical enterprise, and the article argues that compliance programmes built for people leave service accounts, API keys, tokens, and AI agents under-governed, according to Entro Security. The compliance problem is structural: discovery, ownership, rotation, and monitoring must be treated as lifecycle controls, not after-the-fact audit tasks.
NHIMG editorial — based on research published by Entro Security.
By the numbers:
- In a typical enterprise today, NHIs outnumber human identities by 92:1.
Questions worth separating out
Q: How should organisations govern non-human identities for compliance?
A: Treat non-human identities as governed assets with owners, scope, rotation, and revocation.
Q: Why do non-human identities create more compliance risk than human accounts?
A: They are harder to inventory, easier to orphan, and often operate without interactive login events that normal controls expect.
Q: What is the difference between managing human identities and NHIs?
A: Human identity management focuses on users, authentication, and session controls.
Practitioner guidance
- Create a complete NHI inventory across all systems Map service accounts, API keys, OAuth tokens, certificates, and AI agent identities across cloud, DevOps, and SaaS integrations.
- Enforce lifecycle controls for every machine identity Set explicit provisioning, expiration, rotation, and offboarding rules for each NHI class.
- Bind ownership to every secret and service account Require a named business and technical owner for each identity, then review that ownership on a fixed cadence.
With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, per The State of Non-Human Identity Security, most programmes are still trying to audit what they have not fully discovered?
👉 Read Entro Security's analysis of the compliance gap created by non-human identities →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
12/05/2026 5:45 pm
A few things worth adding from our research at NHI Mgmt Group.
Non-human identity compliance is now a lifecycle discipline, not a checklist exercise. The core failure is not that organisations lack policies. It is that they still manage machine identities as scattered technical artefacts instead of governed identities with owners, review dates, and revocation paths. Once NHIs outnumber humans by 92:1, manual compliance cannot keep pace. Practitioners should treat lifecycle control as the primary compliance layer.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared with nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
A question worth separating out:
Q: When should teams prioritise NHI governance over other IAM work?
A: Teams should prioritise it when automation, cloud integrations, or AI agents are expanding faster than identity review processes. If service accounts and secrets are not fully inventoried, the organisation is already exposed. Governance should move up the queue whenever audit readiness, least privilege, or incident response depends on machine identities.
👉 Read our full editorial: Non-human identities create a compliance gap that human-centric rules miss
