NHI security risk, compliance, and ROI: what teams need now

TL;DR: Non-human identities now outnumber human users by as much as 50 to 1 in many organisations, and a 2024 Cloud Security Alliance survey found 1 in 5 organisations have already suffered an NHI-related incident while only 15% feel confident securing them. The real governance problem is not visibility alone, but that most identity programmes still assume machine access is stable, reviewable, and contained when attackers can abuse valid credentials.

NHIMG editorial — based on content published by Cerbos: NHI risks, compliance, and the cost of inaction

By the numbers:

• Non-human identities now outnumber human users by as much as 50 to 1 in many organizations.
• A 2024 survey by the Cloud Security Alliance found that 1 in 5 organizations reported a security incident related to non-human identities.
• Only 15% of companies felt confident in their ability to secure those machine identities.

Questions worth separating out

Q: How should security teams govern non-human identities that outnumber human users?

A: They should treat non-human identities as a governed population with ownership, lifecycle, scope, and monitoring requirements.

Q: Why do service accounts with standing privilege create such high breach risk?

A: Because a stolen or leaked machine credential often has direct access to production systems, support tools, or data stores without extra user prompts.

Q: What do organisations get wrong about rotating machine credentials?

A: They often rotate secrets without fixing the underlying access scope or ownership problem.

Practitioner guidance

• Inventory every machine identity with an owner and expiry rule Record service accounts, API tokens, bots, and workload credentials in a single inventory with named ownership, business purpose, and a defined retirement condition.
• Remove standing privilege from machine accounts Reduce every non-human identity to the smallest data and system set it actually needs.
• Automate secret rotation and orphan detection Use policy and telemetry to rotate long-lived keys, detect stale tokens, and flag credentials that are no longer attached to active services.

What's in the full article

Cerbos' full guide covers the operational detail this post intentionally leaves for the source:

• Step-by-step reasoning on how policy-based authorization complements machine identity controls in application environments
• Expanded ROI framing for security leadership, including breach-cost comparisons and operational efficiency effects
• Implementation discussion for combining credential management with externalized authorization in developer workflows
• Practical examples of how to reduce friction while tightening governance over service accounts and API tokens

👉 Read Cerbos' guide to NHI risk, compliance, and ROI →

NHI security risk, compliance, and ROI: what teams need now?

Explore further

View Full Forum →  |  NHI Foundation Course →