TL;DR: Machine identities now outnumber humans by 50 to 1 in some cloud environments, and P0 Security argues that stale, unmanaged credentials are becoming the easier, quieter attack path because most IAM programmes still assume human-paced access reviews and ownership. The governance problem is not visibility alone, but lifecycle control over machine access before compromise turns into lateral movement.
NHIMG editorial — based on content published by P0 Security: Outnumbered and Underprotected: The Hidden Risk of Non-Human Identities
By the numbers:
- The cloud's most overlooked attack surface includes machine identities that outnumber humans by 50 to 1 in some environments.
- According to the Cloud Security Alliance, only 15% of organisations feel confident in their ability to prevent NHI-related breaches.
- According to the Cloud Security Alliance, 69% of organisations admit they are moderately or highly concerned about NHI-related breaches.
Questions worth separating out
Q: How should security teams govern machine identities that do not fit human access review processes?
A: Security teams should govern machine identities through ownership, lifecycle, privilege scope, and usage monitoring rather than human access review cadence alone.
Q: Why do over-permissioned service accounts increase lateral movement risk?
A: Over-permissioned service accounts increase lateral movement risk because they already possess trusted access to systems, secrets, and data.
Q: What breaks when machine identities are managed only through vaults and spreadsheets?
A: What breaks is accountability.
Practitioner guidance
- Inventory every machine identity and owner Create a live register of service accounts, API keys, tokens, certificates, bots, and workload identities.
- Enforce expiry on non-human credentials Set short-lived credentials where possible and define explicit revocation dates for long-lived access.
- Reduce privilege to the actual workload task Scope each machine identity to the minimum permissions needed for the exact workload or integration.
What's in the full article
P0 Security's full blog post covers the operational detail this post intentionally leaves for the source:
- Practical examples of how teams inventory service accounts, bots, and workload identities across cloud estates
- Examples of the ownership and expiration signals practitioners can use to identify stale machine access
- The article's step-by-step framing for moving from human-centric IAM to machine identity governance
- The author's view on how ephemeral credentials and policy-bound identities change least privilege practice
👉 Read P0 Security's analysis of the hidden risk of non-human identities →
NHI governance gaps: what security teams are missing now?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
Machine identities have become a governance class, not just a technical by-product. The article correctly shows that service accounts, bots, and deployment identities now carry business-critical access in cloud estates. That means NHI governance has to sit inside IAM and IGA operating models, not in an isolated secrets workflow. The practitioner conclusion is simple: if an identity can touch production, it belongs in governance.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- More than 1 in 5 non-human identities are believed to be insufficiently secured, which is a governance failure, not a tooling edge case.
A question worth separating out:
Q: Who should own the risk of a compromised machine identity?
A: The owning application or platform team should carry operational accountability, while security owns the governance model and enforcement standards. If nobody can identify the business owner, the identity is already out of policy and should be treated as a remediation priority before it becomes an incident.
👉 Read our full editorial: Non-human identity governance is the missing control plane