Notifications
Clear all
Topic starter
22/06/2026 1:41 pm
TL;DR: Security programs stall when identity is treated as an IT problem rather than a shared ownership model across human, machine, and AI identities, according to SPHERE. The practical issue is not terminology alone, but whether organisations can make responsibility, visibility, and accountability understandable outside the security team.
NHIMG editorial — based on content published by SPHERE: identity security and the case for shared ownership
By the numbers:
- Machine identities outnumber human identities by 25x to 50x in modern enterprises.
- Only 5.7% of organisations have full visibility into their service accounts.
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
Questions worth separating out
Q: How should organisations assign ownership across human, machine, and AI identities?
A: Start by assigning a business owner and an operational owner to every identity type, then make both names part of access approval, review, and offboarding.
Q: Why do machine identities create more governance risk than many human accounts?
A: Machine identities often outnumber people, change faster, and are easier to overlook after deployment.
Q: What do teams get wrong about shared responsibility in identity security?
A: They often assume that if a security team exists, responsibility has been transferred to it.
Practitioner guidance
- Assign named owners to every identity and secret Map each user account, service account, API key, certificate, and AI identity to a business owner and an operational owner.
- Tie access reviews to ownership validation Do not recertify entitlements unless the reviewer can confirm the asset owner, the technical custodian, and the current purpose of access.
- Build separate lifecycle rules for machine identities Apply distinct onboarding, renewal, rotation, and offboarding steps to service accounts, API keys, and certificates instead of reusing human IAM workflows.
What's in the full article
SPHERE Technology Solutions' full article covers the operational detail this post intentionally leaves for the source:
- How the vendor frames identity ownership for non-security stakeholders across marketing, sales, and HR.
- Examples of how to translate technical identity terms into business responsibility language.
- The specific ways the article links ownership to scale, visibility, and accountability across teams.
👉 Read SPHERE Technology Solutions' analysis of identity ownership and security scale →
Identity security ownership gap: what IAM teams are missing?
Explore further
This topic was modified 1 hour ago by Mr NHI
22/06/2026 1:46 pm
Identity ownership is the control plane that makes IAM usable at enterprise scale. The article is right to move the conversation away from a security-team monopoly and toward distributed accountability. When business units understand what they own, identity governance becomes observable, reviewable, and enforceable instead of abstract. Practitioners should treat ownership as a first-class governance control, not a cultural slogan.
A few things that frame the scale:
- Machine identities outnumber human identities by 25x to 50x in modern enterprises, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which explains why ownership and accountability so often break down in practice.
A question worth separating out:
Q: How can security teams tell whether identity ownership is actually working?
A: Look for evidence that ownership data changes outcomes. Access reviews should produce removals, offboarding should revoke unused access, and exceptions should have named accountability. If the programme generates reports but does not change entitlements, then ownership is being documented rather than governed.
👉 Read our full editorial: Identity security fails when ownership stops at IT
