TL;DR: Non-human identities now outnumber human users by 144 to 1 and are growing 4 to 10 times faster, while fewer than 25% of organisations have formal policies for creating or decommissioning them, according to Commvault. The real governance problem is not just more machine accounts, but a machine-layer attack surface that traditional human-centric controls do not reliably see.
NHIMG editorial — based on content published by Commvault: Key Takeaways on NHI identity debt, vishing, and machine-layer risk
By the numbers:
- Non-human identities now outnumber human users by a ratio of 144 to 1, and they are growing 4 to 10 times faster than human accounts.
- 25% of organisations have formal policies governing NHI, verning NHI creation or decommissioning.
- 449% in 2025., g rose 449% in 2025.
Questions worth separating out
A: Treat the event as a dual-layer identity incident.
Q: Why do NHIs make recovery harder than human account compromise?
A: Because NHIs often outlive the user action that exposed them and are not covered by the same user-focused remediation flow.
Q: What do organisations get wrong about non-human identity governance?
A: They treat NHIs as a tooling by-product instead of a governed identity class.
Practitioner guidance
- Map the machine-layer recovery path Require incident runbooks to revoke OAuth grants, service accounts, API keys, and certificates when a human account is reset or recovered.
- Inventory and own every NHI Build a complete register of service accounts, tokens, and keys with named business owners, creation dates, and decommissioning triggers.
- Reduce standing privilege on machine identities Remove unnecessary administrative scope from long-lived credentials and replace it with task-specific access where the workload allows it.
What's in the full article
Commvault's full article covers the operational detail this post intentionally leaves for the source:
- The full breakdown of how vishing, MFA resets, and help desk impersonation are chained into machine-layer access.
- Examples of how OAuth abuse and service account creation keep attacker access alive after the human account is remediated.
- The article's recovery-first framing for rollback, privilege rollback, and identity-state restoration.
- The specific ways traditional tools miss NHIs because they are built around human behaviour patterns.
👉 Read Commvault's analysis of NHI identity debt, vishing, and machine-layer compromise →
NHI identity debt and vishing: what IAM teams need to fix?
Explore further
NHI identity debt is the real control gap, not just identity sprawl. Years of provisioning without lifecycle discipline create credentials that remain active after the work they supported has changed. Fewer than 25% of organisations have formal policies for NHI creation or decommissioning, which means the attack surface is expanding faster than ownership and review processes can keep up. The practitioner conclusion is simple: if the identity has no lifecycle, it has no governable boundary.
A few things that frame the scale:
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
- 62% of all secrets are duplicated and stored in multiple locations, causing unnecessary redundancy and increasing the risk of accidental exposure.
A question worth separating out:
Q: Who should be accountable for service accounts and tokens after a compromise?
A: The business or technical owner who can prove the identity’s purpose, scope, and retirement path should be accountable. Shared or anonymous ownership is a control failure because it prevents timely revocation, review, and rollback. Without accountable ownership, machine identities become permanent blind spots in incident response.
👉 Read our full editorial: NHI identity debt is widening the attack surface for enterprises