NHI governance gaps: what security teams are missing now

TL;DR: Machine identities now outnumber humans by 50 to 1 in some cloud environments, and P0 Security argues that stale, unmanaged credentials are becoming the easier, quieter attack path because most IAM programmes still assume human-paced access reviews and ownership. The governance problem is not visibility alone, but lifecycle control over machine access before compromise turns into lateral movement.

NHIMG editorial — based on content published by P0 Security: Outnumbered and Underprotected: The Hidden Risk of Non-Human Identities

By the numbers:

• The cloud's most overlooked attack surface includes machine identities that outnumber humans by 50 to 1 in some environments.
• According to the Cloud Security Alliance, only 15% of organisations feel confident in their ability to prevent NHI-related breaches.
• According to the Cloud Security Alliance, 69% of organisations admit they are moderately or highly concerned about NHI-related breaches.

Questions worth separating out

Q: How should security teams govern machine identities that do not fit human access review processes?

A: Security teams should govern machine identities through ownership, lifecycle, privilege scope, and usage monitoring rather than human access review cadence alone.

Q: Why do over-permissioned service accounts increase lateral movement risk?

A: Over-permissioned service accounts increase lateral movement risk because they already possess trusted access to systems, secrets, and data.

Q: What breaks when machine identities are managed only through vaults and spreadsheets?

A: What breaks is accountability.

Practitioner guidance

• Inventory every machine identity and owner Create a live register of service accounts, API keys, tokens, certificates, bots, and workload identities.
• Enforce expiry on non-human credentials Set short-lived credentials where possible and define explicit revocation dates for long-lived access.
• Reduce privilege to the actual workload task Scope each machine identity to the minimum permissions needed for the exact workload or integration.

What's in the full article

P0 Security's full blog post covers the operational detail this post intentionally leaves for the source:

• Practical examples of how teams inventory service accounts, bots, and workload identities across cloud estates
• Examples of the ownership and expiration signals practitioners can use to identify stale machine access
• The article's step-by-step framing for moving from human-centric IAM to machine identity governance
• The author's view on how ephemeral credentials and policy-bound identities change least privilege practice

👉 Read P0 Security's analysis of the hidden risk of non-human identities →

NHI governance gaps: what security teams are missing now?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →