Notifications
Clear all
Topic starter
02/06/2026 7:01 pm
TL;DR: Enterprises struggle to govern service accounts, API keys, OAuth tokens, and AI agents because identity programs were built for people, leaving critical automation exposed through missing ownership, weak lifecycle controls, and blind spots in review, according to Omada Identity. The governance case is no longer about inventory alone; it is about proving accountability, lifecycle control, and auditability before autonomous agents scale further.
NHIMG editorial — based on content published by Omada Identity: Non-Human Identities Don't Govern Themselves: Building the Governance Foundation for NHI and AI Agents
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
Questions worth separating out
Q: How should security teams implement NHI governance before AI agents scale further?
A: Start with continuous discovery, then add ownership, lifecycle triggers, certification, and escalation.
Q: Why do non-human identities complicate standard IAM reviews?
A: Because their value does not map cleanly to a human job role.
Q: What breaks when service accounts and API keys are not governed as identities?
A: The organisation loses accountability and lets access drift into routine operations.
Practitioner guidance
- Build a continuous NHI inventory Include service accounts, API keys, OAuth tokens, cloud roles, CI/CD credentials, bot identities, and AI agents.
- Assign accountable ownership to every identity Require a named individual who can justify why the identity exists, what it does, and whether it still needs access.
- Add lifecycle triggers for rotation and retirement Tie provisioning, scope changes, rotation, and deprovisioning to documented events such as project closure, application retirement, or access expansion.
It is whether IAM can express bounded authority for non-human actors at all?
👉 Read Omada Identity's analysis of non-human identity governance foundations →
Explore further
02/06/2026 7:17 pm
Non-human identity governance is now a lifecycle discipline, not a visibility project. Discovery matters, but discovery without ownership, certification, and retirement logic leaves the control plane incomplete. Enterprises that stop at inventory create a list of risky identities without changing the risk. Practitioners should treat lifecycle governance as the real boundary between unmanaged automation and auditable identity control.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
A question worth separating out:
Q: Who is accountable when an AI agent acts outside its intended scope?
A: The organisation is accountable, but operational responsibility should sit with a named owner and a governance process that can explain the agent’s purpose, access, and recorded actions. Without that, autonomous behaviour becomes unassignable risk rather than managed automation.
👉 Read our full editorial: Non-human identity governance foundations for AI agents
