TL;DR: Identity has become the operating layer for business processes, automation pipelines, cloud workloads and AI agents, and many organisations still cannot inventory what exists or what it can do, according to Gathid. Static identity governance is failing because privilege now changes continuously, trust is relational and AI can exploit misconfigurations in milliseconds rather than hours.
NHIMG editorial — based on content published by Gathid: Identity is now the enterprise
By the numbers:
- In many organizations, nonhuman identities outnumber human ones 100:1 or more.
Questions worth separating out
Q: How should security teams govern identity when it spans people, bots and AI agents?
A: They should govern identity as a unified trust system, not as separate policy islands.
Q: Why do service accounts and API keys create so much hidden risk?
A: Because their permissions are often inherited, embedded or forgotten, which makes them easy to overlook and hard to retire.
Q: What breaks when identity reviews are only done quarterly?
A: Quarterly reviews miss the reality that access now changes continuously through automation, delegated trust and fast-moving machine workflows.
Practitioner guidance
- Build a living identity inventory Replace CSV exports and point-in-time registers with an inventory that tracks human, non-human and agent identities, ownership, entitlements and current trust relationships.
- Map privilege chains before approval Trace how one credential can inherit access through roles, pipelines, delegated permissions and connected systems.
- Assign ownership to every non-human identity Require a named human owner for each service account, token, bot and agent identity, including a reviewable purpose and an expiry condition.
What's in the full article
Gathid's full article covers the operational detail this post intentionally leaves for the source:
- The full argument for treating identity as infrastructure rather than a security side function.
- The trust graph and digital twin concepts in more detail, including how they support blast-radius modelling.
- The article's discussion of mature identity infrastructure patterns such as zero-standing privilege and privilege decay.
- The original narrative around AI's effect on identity speed, scope and governance pressure.
👉 Read Gathid's analysis of why identity is becoming critical infrastructure →
Identity as critical infrastructure: what IAM teams need to rethink?
Explore further
Identity is now infrastructure because access paths have become business pathways. When service accounts, automation, API keys and AI agents execute core work, identity is no longer a support function sitting beside the stack. It is the stack's control surface. That means identity governance has to be treated with the same operational seriousness as network design, payments or power distribution. Practitioners should stop describing identity as a feature and start managing it as critical infrastructure.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
A question worth separating out:
Q: How do organisations know whether their identity programme is actually working?
A: They should look for a complete inventory, named ownership, reduced standing privilege and a measurable drop in unreviewed privilege paths. If the team cannot answer what identities exist, what they can do and which systems they can reach, the programme is still operating below the level needed to govern modern infrastructure.
👉 Read our full editorial: Identity is now critical infrastructure, not an access control layer