NHI growth and PAM: what identity teams need to rethink

TL;DR: Security teams are finding that NHIs, multi-cloud and hybrid access patterns are stretching IAM, IGA and PAM beyond their human-centric assumptions, while the real risk is exposure to sensitive systems rather than raw account counts, according to P0 Security. Access-pathway reduction, not identity volume, is becoming the decisive governance metric.

NHIMG editorial — based on content published by P0 Security: The rise of non-human identities and the future of PAM

By the numbers:

• NHIs outnumber human identities by 25x to 50x in modern enterprises.
• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: How should security teams govern NHIs that have privileged access in hybrid environments?

A: Security teams should govern privileged NHIs by tying each identity to a named owner, a specific business function and a documented set of reachable systems.

Q: Why do NHIs complicate PAM and IAM programmes?

A: NHIs complicate PAM and IAM because their access is often embedded in automation, APIs and service integrations rather than in interactive logins.

Q: What breaks when identity governance focuses only on account counts?

A: When governance focuses only on account counts, teams miss the identities that can actually reach sensitive data or production systems.

Practitioner guidance

• Inventory reachable NHI privilege Build an inventory of service accounts, API keys, tokens and certificates that can reach production or customer data, then classify them by actual access pathways rather than by owner team alone.
• Bind each NHI to a named owner Require an accountable human or system owner for every privileged NHI so offboarding, review and exception handling have a clear decision point.
• Consolidate PAM and lifecycle controls Treat rotation, offboarding and privilege review as a single control chain so machine credentials are removed or narrowed when the underlying workload, vendor or workflow changes.

What's in the full article

P0 Security's full post covers the operational detail this analysis intentionally leaves for the source:

• The article’s interview framing with Lalit Choda and how that conversation shaped the PAM perspective.
• The specific arguments used to compare IAM, IGA and PAM responsibilities for humans and NHIs.
• The Black Hat discussion points about hybrid and multi-cloud access complexity.
• The article’s closing view on whether teams should add point solutions or adapt the platforms they already run.

👉 Read P0 Security's analysis of NHI growth and the future of PAM →

NHI growth and PAM: what identity teams need to rethink?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →