TL;DR: Non-human identities now outnumber human users by as much as 50 to 1 in many organisations, and a 2024 Cloud Security Alliance survey found 1 in 5 organisations have already suffered an NHI-related incident while only 15% feel confident securing them. The real governance problem is not visibility alone, but that most identity programmes still assume machine access is stable, reviewable, and contained when attackers can abuse valid credentials.
NHIMG editorial — based on content published by Cerbos: NHI risks, compliance, and the cost of inaction
By the numbers:
- Non-human identities now outnumber human users by as much as 50 to 1 in many organizations.
- A 2024 survey by the Cloud Security Alliance found that 1 in 5 organizations reported a security incident related to non-human identities.
- Only 15% of companies felt confident in their ability to secure those machine identities.
Questions worth separating out
Q: How should security teams govern non-human identities that outnumber human users?
A: They should treat non-human identities as a governed population with ownership, lifecycle, scope, and monitoring requirements.
Q: Why do service accounts with standing privilege create such high breach risk?
A: Because a stolen or leaked machine credential often has direct access to production systems, support tools, or data stores without extra user prompts.
Q: What do organisations get wrong about rotating machine credentials?
A: They often rotate secrets without fixing the underlying access scope or ownership problem.
Practitioner guidance
- Inventory every machine identity with an owner and expiry rule Record service accounts, API tokens, bots, and workload credentials in a single inventory with named ownership, business purpose, and a defined retirement condition.
- Remove standing privilege from machine accounts Reduce every non-human identity to the smallest data and system set it actually needs.
- Automate secret rotation and orphan detection Use policy and telemetry to rotate long-lived keys, detect stale tokens, and flag credentials that are no longer attached to active services.
What's in the full article
Cerbos' full guide covers the operational detail this post intentionally leaves for the source:
- Step-by-step reasoning on how policy-based authorization complements machine identity controls in application environments
- Expanded ROI framing for security leadership, including breach-cost comparisons and operational efficiency effects
- Implementation discussion for combining credential management with externalized authorization in developer workflows
- Practical examples of how to reduce friction while tightening governance over service accounts and API tokens
👉 Read Cerbos' guide to NHI risk, compliance, and ROI →
NHI security risk, compliance, and ROI: what teams need now?
Explore further
NHI security is now an enterprise risk-management problem, not a narrow secrets-management task. The article is right to connect machine credentials to downtime, compliance, and financial loss, because that is where the real exposure sits. Once service accounts and tokens reach production scale, they affect business continuity, customer trust, and audit outcomes. Practitioners should treat NHI governance as part of the core identity programme, not a side project.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- A separate finding shows that 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months.
A question worth separating out:
Q: Which controls matter most when auditors ask about machine identity security?
A: Auditors usually need evidence of ownership, least privilege, rotation, and logging. If those four controls are in place and consistently applied, the organisation can explain who owns each credential, why it exists, how often it changes, and how misuse would be detected. That evidence is the real governance test.
👉 Read our full editorial: NHI security risks are now a board-level business liability