NHI risk in 2025: what changes when agents join the mix?

TL;DR: Non-human identity risk is now urgent for 93% of respondents in ConductorOne’s 2025 Future of Identity Security Report, while 42% say NHI security outranks human user security and 78% claim high or full visibility despite persistent privilege and rotation issues. The governance gap is no longer visibility alone, but control of access scope and lifecycle at machine scale.

NHIMG editorial — based on content published by ConductorOne: Managing Non-Human Identity Risk in 2025

By the numbers:

• A staggering 93% of respondents in the report said the risks associated with NHIs are urgent, with 24% calling them extremely urgent and in need of immediate action.
• 42% of respondents say NHI security is now a higher priority than securing human users.
• 78% of respondents said they have high or full visibility into NHIs across their environment, and 30% say they already have total visibility.

Questions worth separating out

Q: How should security teams govern non-human identities at scale?

A: Security teams should govern non-human identities by assigning ownership, limiting scope, and enforcing lifecycle controls for every service account, token, and API key.

Q: Why do NHIs create more governance risk than many human accounts?

A: NHIs create more governance risk because they are easier to over-provision, harder to review, and less likely to trigger lifecycle events that remove access.

Q: How do security teams know if NHI visibility is actually working?

A: Visibility is working only when discovery leads to ownership, review, and action.

Practitioner guidance

• Build an authoritative NHI inventory Map every service account, token, API key, certificate, and AI agent to an owner, purpose, and expiry so discovery turns into accountable governance.
• Tighten default privilege at creation time Start each machine identity with the minimum access needed for the workload, then expand entitlements only after documented justification and review.
• Operationalise credential rotation and revocation Treat rotation as a planned lifecycle control for embedded secrets, third-party integrations, and long-lived service accounts, not as an emergency-only task.

What's in the full article

ConductorOne's full blog covers the operational detail this post intentionally leaves for the source:

• Survey framing and respondent mix behind the 2025 Future of Identity Security Report
• Breakdowns of where teams struggle most with over-provisioning, rotation, and third-party NHI risk
• The article's narrative examples for why agentic AI changes the machine identity picture
• ConductorOne's explanation of the controls it recommends for machine identity governance

👉 Read ConductorOne's analysis of managing non-human identity risk in 2025 →

NHI risk in 2025: what changes when agents join the mix?

Explore further

View Full Forum →  |  NHI Foundation Course →