Notifications
Clear all
Topic starter
25/06/2026 3:23 pm
TL;DR: Identity security is framed as the control plane for cloud-first, AI-driven enterprises, according to CyberArk. The book offers guidance on securing human, machine, and privileged identities, automated controls, Zero Standing Privileges, and future-facing risks such as GenAI and quantum-safe encryption, with the underlying message that identity programmes now need to prove business value while reducing access risk across the full identity lifecycle.
NHIMG editorial — based on content published by CyberArk: The Identity Security Imperative, a leader's guide to securing every identity
By the numbers:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- Only 5.7% of organisations have full visibility into their service accounts.
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
Questions worth separating out
Q: How should security teams secure humans and non-human identities in one programme?
A: Security teams should govern humans and NHIs under one identity strategy while keeping control objectives consistent across both.
Q: Why do standing privileges create so much risk in cloud environments?
A: Standing privileges create risk because they leave powerful access available long after the task that justified it has ended.
Q: What do organisations get wrong about service accounts and API keys?
A: Organisations often treat service accounts and API keys as operational plumbing rather than governed identities.
Practitioner guidance
- Inventory every identity class in one governance model Bring human users, privileged admins, service accounts, API keys, tokens, and certificates into a single inventory so access reviews and lifecycle controls are not fragmented by identity type.
- Replace standing admin paths with task-scoped privilege Use just-in-time access and approval workflows to remove persistent elevated permissions, especially where cloud operations and production support teams still depend on permanent access.
- Tie privilege controls to audit-ready enforcement Ensure privilege grants, session activity, and revocation events are logged in a way that supports audits, incident response, and regulatory reporting without manual reconstruction.
What's in the full article
CyberArk's full book covers the operational detail this post intentionally leaves for the source:
- Step-by-step guidance on building an identity security programme that can scale across enterprise environments.
- A five-level maturity model for tracking progress and identifying where identity controls are still immature.
- Core principles for putting identity security into practice without disrupting access to business resources.
- Additional detail on automated privileged controls, Zero Standing Privilege, and AI-driven detection concepts.
👉 Read CyberArk's guide to building a modern identity security programme →
Identity security across the full identity stack: what changes now?
Explore further
25/06/2026 4:53 pm
Identity security is now the control plane for every identity class, not a side discipline. CyberArk’s framing reflects a wider truth: human IAM, NHI governance, and privileged access management are converging into one operating model because attackers exploit whichever identity is easiest to over-extend. That means programme boundaries built around user access alone are outdated. The practical conclusion is that identity strategy has to be owned as enterprise security architecture, not as a collection of disconnected tools.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who should own identity security accountability across the enterprise?
A: Identity security accountability should sit with security leadership, IAM, PAM, and platform owners together, because the control plane spans human access, machine identities, and privileged workflows. If ownership is split, the programme usually becomes inconsistent at the boundaries where breaches and audit findings emerge. Shared accountability is the only practical way to manage the full identity estate.
👉 Read our full editorial: Identity security for every identity: what leaders need to know
