Notifications
Clear all
Topic starter
22/06/2026 1:43 pm
TL;DR: Identity hygiene is no longer a back-office concern because poor visibility, stale entitlements, and overprivileged access now sit at the centre of enterprise risk, according to SPHERE Technology Solutions. As AI and machine identities expand the attack surface, identity governance has to move from periodic cleanup to continuous control.
NHIMG editorial — based on content published by SPHERE Technology Solutions: Podcast highlights from Smells Like Identity Hygiene
By the numbers:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
Questions worth separating out
Q: How should security teams govern identity sprawl across human and non-human accounts?
A: Start with a single inventory that includes users, service accounts, API keys, certificates, and automated access paths.
Q: Why do stale entitlements create so much identity risk?
A: Stale entitlements extend access beyond the period when it is actually needed, which gives attackers more time and more privilege to work with.
Q: How can organisations tell whether identity hygiene is actually improving?
A: Look for fewer orphaned accounts, faster revocation of unused access, higher ownership coverage, and shorter time between entitlement change and remediation.
Practitioner guidance
- Build a complete identity inventory Map human accounts, service accounts, API keys, tokens, certificates, and AI-driven access paths into one governed inventory with named owners and business purpose.
- Revoke stale entitlements continuously Move away from annual cleanup and remove unused access as part of normal operations, especially where privilege has been inherited from old projects or departed staff.
- Separate machine access from human access reviews Use review logic that reflects how non-human identities actually operate, including service account ownership, workload purpose, and secret rotation state.
What's in the full article
SPHERE Technology Solutions' full blog post covers the podcast discussion and supporting commentary this post intentionally leaves for the source:
- The full episode context behind Brandon Traffanstedt and Kristin Buckley's remarks on identity hygiene
- The source article's original framing around the "Last Car You'll Ever Drive" metaphor and what it is meant to signal
- The vendor's own commentary on culture, ownership, and why identity security should be treated as a long-term programme
- The podcast highlight structure and source-specific references that were condensed out of this independent analysis
👉 Read SPHERE Technology Solutions' podcast highlights on identity hygiene and AI identity risk →
Identity hygiene and AI identities: is your programme keeping up?
Explore further
This topic was modified 1 hour ago by Mr NHI
22/06/2026 1:49 pm
Identity hygiene is now security infrastructure, not housekeeping. The article gets the direction right: identity is the front line because access determines whether attackers need to break in or simply log in. Once identities outnumber the control team's ability to track them, the programme stops being preventive and becomes reactive. That is why identity inventory, ownership, and entitlement scope belong in the security architecture conversation. Practitioners should treat identity hygiene as an operational control layer, not a cleanup exercise.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who should own lifecycle control for service accounts and AI-enabled identities?
A: Ownership should sit with the team that understands the identity's business function and can approve its continued use. Security can set policy and monitor drift, but it cannot own every entitlement decision centrally. Without a named operational owner, machine identities and automated access paths tend to survive long after they are needed.
👉 Read our full editorial: Identity hygiene failures are now a core security risk
