Identity as critical infrastructure: what IAM teams need to rethink

TL;DR: Identity has become the operating layer for business processes, automation pipelines, cloud workloads and AI agents, and many organisations still cannot inventory what exists or what it can do, according to Gathid. Static identity governance is failing because privilege now changes continuously, trust is relational and AI can exploit misconfigurations in milliseconds rather than hours.

NHIMG editorial — based on content published by Gathid: Identity is now the enterprise

By the numbers:

• In many organizations, nonhuman identities outnumber human ones 100:1 or more.

Questions worth separating out

Q: How should security teams govern identity when it spans people, bots and AI agents?

A: They should govern identity as a unified trust system, not as separate policy islands.

Q: Why do service accounts and API keys create so much hidden risk?

A: Because their permissions are often inherited, embedded or forgotten, which makes them easy to overlook and hard to retire.

Q: What breaks when identity reviews are only done quarterly?

A: Quarterly reviews miss the reality that access now changes continuously through automation, delegated trust and fast-moving machine workflows.

Practitioner guidance

• Build a living identity inventory Replace CSV exports and point-in-time registers with an inventory that tracks human, non-human and agent identities, ownership, entitlements and current trust relationships.
• Map privilege chains before approval Trace how one credential can inherit access through roles, pipelines, delegated permissions and connected systems.
• Assign ownership to every non-human identity Require a named human owner for each service account, token, bot and agent identity, including a reviewable purpose and an expiry condition.

What's in the full article

Gathid's full article covers the operational detail this post intentionally leaves for the source:

• The full argument for treating identity as infrastructure rather than a security side function.
• The trust graph and digital twin concepts in more detail, including how they support blast-radius modelling.
• The article's discussion of mature identity infrastructure patterns such as zero-standing privilege and privilege decay.
• The original narrative around AI's effect on identity speed, scope and governance pressure.

👉 Read Gathid's analysis of why identity is becoming critical infrastructure →

Identity as critical infrastructure: what IAM teams need to rethink?

Explore further

View Full Forum →  |  NHI Foundation Course →