Identity lineage is now a governance requirement, not a nice-to-have control layer. IAM has long assumed that identity management begins and ends with a person account, but NHIs break that model by creating active access subjects that inherit human authority without appearing in standard lifecycle workflows. That means access review, offboarding, and audit all need a lineage view, not just an inventory view. Practitioners should treat lineage as the control that makes every other identity control enforceable.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: When should organisations retire or rotate a non-human identity?
A: Organisations should retire or rotate an NHI when its owner changes, its purpose is no longer clear, its scope expands, or its credential has been exposed. They should also rotate on a fixed cadence for high-risk systems. If the credential cannot be tied to a current business need, removal is the safer default.
👉 Read our full editorial: Identity lineage is the missing control for non-human identities