TL;DR: NHI maturity is rarely uniform, and an assessment matrix splits governance into six dimensions spanning discovery, lifecycle, authentication, authorization, runtime, and delegation so teams can score each on evidence rather than optimism, according to Identra.ai. The core implication is that governance collapses when organisations treat visibility as maturity and ignore the accountability gap between discovered identities and governed identities.
NHIMG editorial — based on content published by Identra.ai: Companion assessment rate your program, honestly
By the numbers:
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should security teams score NHI maturity without hiding weak controls?
A: Score each control domain separately, using evidence for discovery, lifecycle, authentication, authorization, runtime, and delegation.
Q: Why do NHI programmes often look more mature than they are?
A: They often measure visibility instead of control.
Q: What breaks when delegated NHI access is treated like a normal account?
A: Account ownership, task context, and stop authority all become ambiguous.
Practitioner guidance
- Score each NHI dimension separately Use evidence-based levels for discovery, lifecycle, authentication, authorization, runtime, and delegation.
- Track the discovery-to-governance gap Measure discovered non-human identities against identities with named owners, revocation paths, and approved business purpose.
- Test runtime containment, not just monitoring Define which critical actions can be blocked or contained in real time, then validate that the control works under load.
What's in the full article
Identra.ai's full assessment covers the operational detail this post intentionally leaves for the source:
- The complete six-dimension maturity matrix with the five-level scoring guidance for each row
- The scorecard metrics mapped to coverage, privilege, runtime containment, accountability, and delegation
- The sample organization profile that shows how a real enterprise can be advanced in one dimension and weak in another
- The article's own framing for how to rate progress without relying on a single headline maturity label
👉 Read Identra.ai's assessment of the NHI maturity matrix and scorecard →
NHI maturity matrix: where are most programmes actually falling short?
Explore further
Uneven NHI maturity is the normal state, not an exception. The article is right to reject the idea that one maturity label can describe an entire non-human identity programme. Discovery, lifecycle, authentication, authorization, runtime, and delegation fail in different ways, so organisations that report a single score are usually hiding variation rather than managing it. The practitioner conclusion is to measure capability by control domain, not by overall comfort level.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, which is why inventory alone is not governance.
A question worth separating out:
Q: How can organisations tell whether runtime identity controls are actually working?
A: Look for evidence that unsafe access attempts are being blocked, stepped up, or constrained at the point of use. If the programme only produces reports, alerts, or post-event findings, then it is measuring risk rather than controlling it. The key signal is whether the access path changes in response to policy.
👉 Read our full editorial: NHI maturity is uneven across discovery, runtime, and delegation