Notifications
Clear all
Topic starter
06/06/2026 2:04 am
TL;DR: Non-human identities now outnumber human users by at least 20 to 1 and may reach 50 to 1, while IGA remains centred on human lifecycles, access certification, and role governance, according to Oasis Security. That gap makes NHIM a separate control plane for machine-to-machine access, not a replacement for IGA.
NHIMG editorial — based on content published by Oasis Security: Why do I need NHIM if I already have a great IGA tool?
By the numbers:
- Non-human identities now outnumber human users by at least 20 to 1.
Questions worth separating out
Q: How should organisations govern non-human identities alongside IGA?
A: Use IGA for people and add an NHI-specific control plane for service accounts, API keys, tokens, and certificates.
Q: Why do service accounts create governance gaps that IGA does not close?
A: Service accounts are often created outside HR-driven workflows, lack clear ownership, and can remain active long after their original use.
Q: How do teams know if NHI governance is actually working?
A: Look for complete inventory coverage, clear ownership, enforced rotation, and reliable decommissioning.
Practitioner guidance
- Separate human and machine governance paths Document which access workflows are managed through IGA and which must be governed through NHI-specific discovery, rotation, and retirement processes.
- Build a complete NHI inventory from source systems Connect identity providers, secret stores, logging platforms, and cloud services so that service accounts, API keys, tokens, and certificates are discovered where they actually live.
- Apply lifecycle controls to stale machine credentials Track creation, use, rotation, expiry, and decommission status for every non-human identity.
What's in the full article
Oasis Security's full blog covers the operational detail this post intentionally leaves for the source:
- How Oasis positions NHIM against common IGA workflows such as provisioning, access reviews, and compliance reporting
- The practical lifecycle stages for service accounts, API keys, tokens, and certificates, including ownership and decommissioning
- The specific cloud-native visibility and discovery functions the vendor says are needed to manage machine identity sprawl
- How Oasis frames integration with existing IGA investments across hybrid environments
👉 Read Oasis Security's analysis of why IGA falls short for NHI governance →
IGA vs NHIM: where identity governance stops covering machine access?
Explore further
06/06/2026 3:32 am
IGA is necessary, but it is not a complete machine identity control plane. The article’s core argument is that IGA excels at human identity governance while NHIM addresses service accounts, API keys, tokens, and certificates. That is the right split of responsibility, because machine identities are created, used, and retired in ways that human-centred lifecycle tools were never designed to model. Practitioners should treat the two as complementary, not interchangeable.
A few things that frame the scale:
- Non-human identities now outnumber human users by at least 20 to 1, according to the Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why incomplete inventories remain a governance issue rather than a tooling issue.
A question worth separating out:
Q: What is the difference between IGA and NHIM for identity teams?
A: IGA governs human access through provisioning, approvals, certification, and compliance reporting. NHIM governs machine identities that authenticate systems, services, and automation. The distinction matters because machine access is created, rotated, and retired through different operational patterns than employee access.
👉 Read our full editorial: Why IGA falls short for NHI governance in cloud environments
