Notifications
Clear all
Topic starter
22/06/2026 1:42 pm
TL;DR: Unmanaged identities, orphaned accounts, and sprawling privileges are outpacing traditional controls, while non-human identities now outnumber human identities 82 to 1, according to SPHERE Technology Solutions. The governance problem is no longer authentication alone, but upstream identity hygiene across hybrid environments.
NHIMG editorial — based on content published by SPHERE Technology Solutions: an exclusive VMblog Q&A on identity hygiene, NHI growth, and upstream governance
By the numbers:
- Non-human identities now outnumber human identities 82 to 1.
Questions worth separating out
Q: How should teams govern non-human identities in hybrid environments?
A: Teams should treat non-human identities as first-class assets with ownership, purpose, review, and offboarding rules.
Q: Why do unmanaged identities increase IAM risk even when SSO and MFA are deployed?
A: Because SSO and MFA only cover interactive human authentication, not the full set of service accounts, secrets, and delegated machine credentials that operate outside login flows.
Q: What do security teams get wrong about identity hygiene?
A: They often treat identity hygiene as clean-up after the real work is done, when it is actually the condition that makes the rest of the programme reliable.
Practitioner guidance
- Inventory all non-human identities and assign owners Build a complete list of service accounts, API keys, tokens, certificates, and other machine identities across hybrid environments.
- Remove stale accounts before expanding PAM scope Use identity hygiene work to identify inactive, duplicated, or unassigned accounts before adding more privileged access tooling.
- Extend governance to AI-driven access paths Map where automation or agentic AI can create, request, or consume credentials, then require those paths to follow the same ownership and review rules as other non-human identities.
What's in the full article
SPHERE Technology Solutions' full Q&A covers the operational detail this post intentionally leaves for the source:
- Rita Gurevich’s own explanation of how "Identity Hygiene" evolved from consulting work into a security operating model.
- The practical rationale behind "upstream hygiene" for Active Directory modernisation and PAM investment decisions.
- The article’s discussion of how continuous monitoring changes compliance from point-in-time effort to evidence-driven governance.
- Context on why NHI growth, M&A consolidation, and agentic AI automation are converging into the same identity problem.
👉 Read SPHERE Technology Solutions' Q&A on identity hygiene and NHI sprawl →
NHI sprawl and identity hygiene: what IAM teams are missing?
Explore further
This topic was modified 1 hour ago by Mr NHI
22/06/2026 1:47 pm
Identity hygiene is now a control layer, not a housekeeping exercise. The article’s central point is that unmanaged identities and orphaned accounts create governance failure before any breach occurs. SSO and MFA do not address the identity objects that live outside interactive login, so enterprises need a discipline that treats identity state as a continuously managed security asset. The practitioner conclusion is simple: if identity cannot be accounted for, it cannot be governed.
A few things that frame the scale:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which helps explain why orphaned identities and privilege drift remain so difficult to contain.
A question worth separating out:
Q: How should organisations respond when automation expands the number of identities they must govern?
A: They should widen governance to include machine identities and any AI-driven access paths before the volume becomes unmanageable. That means enforcing ownership, limiting standing access, and requiring continuous evidence for creation, use, and retirement so automation does not outpace oversight.
👉 Read our full editorial: Identity hygiene, NHI sprawl, and the limits of SSO and MFA
