NHI authorization gaps: what IAM teams are missing now

TL;DR: Non-human identities now outnumber people 45:1 in the enterprise, and vendor research shows 60% of NHI credentials are stale or over-privileged, while the 31% credential-breach share reported by Verizon makes authorization gaps harder to ignore. Discovery and rotation help, but they do not govern what machine identities can do at runtime.

NHIMG editorial — based on content published by EnforceAuth: non-human identity authorization and decision-centric security

By the numbers:

• Non-human identities now outnumber human identities by 45:1 in the enterprise.
• 60% of NHI credentials are either stale or carry far more privilege than the workload requires.
• Around 31% of breaches involve stolen credentials.

Questions worth separating out

Q: What breaks when non-human identity programmes stop at discovery?

A: Discovery tells you what identities exist, but it does not govern what those identities can do.

Q: Why do non-human identities create more risk than human accounts in many environments?

A: NHIs often hold broader, longer-lived access than human users and can act at machine speed without intervention.

Q: How do security teams know if NHI governance is actually working?

A: Look for evidence that access is scoped to specific actions, data, and contexts, not just that identities are inventoried and rotated.

Practitioner guidance

• Map NHI access by action, not just by identity Inventory every service account, token, and agent against the specific actions and data paths it can touch.
• Separate authentication review from authorization review Keep credential rotation, ownership, and expiry checks in one workflow, and run a distinct review for the actions each identity can perform at runtime.
• Introduce policy checks at decision time for high-risk workflows For AI agents and other machine identities that can chain actions, enforce policy before each sensitive read, write, or tool call.

What's in the full article

EnforceAuth's full article covers the operational detail this post intentionally leaves for the source:

• The article breaks down how policy-as-code is being applied to both human and non-human identities across applications, infrastructure, data, and AI workloads.
• It explains the decision-centric model in more implementation detail, including why static RBAC falls short for machine-speed access.
• It outlines the author's runtime enforcement approach, including the policy fabric concept and compatibility with existing policy ecosystems.
• It includes the practical checklist the vendor uses to test whether an NHI strategy is actually governed or only inventoried.

👉 Read EnforceAuth's analysis of non-human identity authorization gaps →

NHI authorization gaps: what IAM teams are missing now?

Explore further

View Full Forum →  |  NHI Foundation Course →