Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

NHI identity debt and vishing: what IAM teams need to fix


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10141
Topic starter  

TL;DR: Non-human identities now outnumber human users by 144 to 1 and are growing 4 to 10 times faster, while fewer than 25% of organisations have formal policies for creating or decommissioning them, according to Commvault. The real governance problem is not just more machine accounts, but a machine-layer attack surface that traditional human-centric controls do not reliably see.

NHIMG editorial — based on content published by Commvault: Key Takeaways on NHI identity debt, vishing, and machine-layer risk

By the numbers:

Questions worth separating out

Q: How should security teams respond when a human account compromise may have reached machine identities?

A: Treat the event as a dual-layer identity incident.

Q: Why do NHIs make recovery harder than human account compromise?

A: Because NHIs often outlive the user action that exposed them and are not covered by the same user-focused remediation flow.

Q: What do organisations get wrong about non-human identity governance?

A: They treat NHIs as a tooling by-product instead of a governed identity class.

Practitioner guidance

What's in the full article

Commvault's full article covers the operational detail this post intentionally leaves for the source:

  • The full breakdown of how vishing, MFA resets, and help desk impersonation are chained into machine-layer access.
  • Examples of how OAuth abuse and service account creation keep attacker access alive after the human account is remediated.
  • The article's recovery-first framing for rollback, privilege rollback, and identity-state restoration.
  • The specific ways traditional tools miss NHIs because they are built around human behaviour patterns.

👉 Read Commvault's analysis of NHI identity debt, vishing, and machine-layer compromise →

NHI identity debt and vishing: what IAM teams need to fix?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9696
 

NHI identity debt is the real control gap, not just identity sprawl. Years of provisioning without lifecycle discipline create credentials that remain active after the work they supported has changed. Fewer than 25% of organisations have formal policies for NHI creation or decommissioning, which means the attack surface is expanding faster than ownership and review processes can keep up. The practitioner conclusion is simple: if the identity has no lifecycle, it has no governable boundary.

A few things that frame the scale:

  • 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
  • 62% of all secrets are duplicated and stored in multiple locations, causing unnecessary redundancy and increasing the risk of accidental exposure.

A question worth separating out:

Q: Who should be accountable for service accounts and tokens after a compromise?

A: The business or technical owner who can prove the identity’s purpose, scope, and retirement path should be accountable. Shared or anonymous ownership is a control failure because it prevents timely revocation, review, and rollback. Without accountable ownership, machine identities become permanent blind spots in incident response.

👉 Read our full editorial: NHI identity debt is widening the attack surface for enterprises



   
ReplyQuote
Share: