Notifications

Clear all

NHI sprawl and autonomous agents: what IAM teams need to know

Last Post

RSS

NHI Mgmt Group

(@nhi-mgmt-group)

Member Moderator

Joined: 1 year ago

Posts: 5324

Topic starter 11/06/2026 10:47 pm

TL;DR: For every person in an organisation there are about 92 non-human identities, and 69% of organisations are concerned about attacks from them while only 15% feel confident preventing them, according to JumpCloud. The governance problem is no longer just volume but persistent, poorly owned machine access that IAM programmes were never built to control.

NHIMG editorial — based on content published by JumpCloud: non-human identity risk, AI agents, and the governance gap

By the numbers:

For every person in an organisation, there are about 92 non-human identities.
69% of organisations are concerned about attacks from non-human identities.
Only 15% feel confident in their ability to prevent them.

Questions worth separating out

Q: How should security teams govern non-human identities across cloud and DevOps environments?

A: Start with inventory, ownership, lifecycle control, and monitoring.

Q: Why do non-human identities increase lateral movement risk?

A: Because they often carry standing access into APIs, databases, pipelines, and cloud services.

Q: What breaks when machine identities have no formal owner?

A: Rotation slows, decommissioning is missed, and privileges accumulate over time.

Practitioner guidance

Inventory every machine identity Map service accounts, API keys, certificates, tokens, workload identities, and automation scripts to a named owner and a business service.
Separate machine lifecycle from human lifecycle Create joiner-mover-leaver processes for non-human identities so provisioning, rotation, review, and offboarding are explicit steps rather than side effects of application changes.
Reduce standing privilege on automated access paths Replace broad or permanent machine permissions with scoped entitlements tied to the minimum systems required, and revalidate access whenever the workload or integration changes.

What's in the full article

JumpCloud's full analysis covers the operational detail this post intentionally leaves for the source:

Specific examples of how service accounts, API keys, certificates, and workload identities are used across common enterprise environments
JumpCloud’s fuller breakdown of the visibility and monitoring problems that make machine identities hard to govern at scale
More detail on the article’s AI agent distinction, including why autonomous behaviour changes the access model
Practical discussion of the control and lifecycle challenges that arise when machine credentials are created automatically

👉 Read JumpCloud’s analysis of non-human identity risk and AI agent exposure →

NHI sprawl and autonomous agents: what IAM teams need to know?

Explore further

View Full Forum → | NHI Foundation Course →

Quote

Topic Tags

Forum Statistics

9 Forums

6,557 Topics

9,958 Posts

34 Online

135 Members

Latest Post: Verifiable AI inference privacy: what changes for IAM teams? Our newest member: Alex Recent Posts Unread Posts Tags

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

FAQ

NHI 101 Articles

Legal & Policies