NHI sprawl and lifecycle gaps: what IAM teams need to know

TL;DR: Non-human identities now outnumber human users by as much as 46 to 1, while 88.5% of organisations say their non-human IAM practices lag or only match user IAM, according to Delinea and Aembit research. The governance problem is not scale alone, but the fact that discovery, privilege, offboarding, and monitoring are still handled as separate controls.

NHIMG editorial — based on content published by Delinea: Non-human identities are the silent majority. How can you manage and protect them?

By the numbers:

• Non-human identities such as service accounts, application tokens, CI/CD tools, and APIs can outnumber human users by 46 to 1.

Questions worth separating out

Q: What breaks when service accounts are reused across multiple applications?

A: Reusing the same service account across multiple applications makes blast radius much larger than the workload requires.

Q: Why do NHIs complicate zero trust architecture?

A: NHIs complicate zero trust because they authenticate non-interactively, often at machine speed, and may exist outside normal user review cycles.

Q: How do security teams know if NHI governance is working?

A: Good NHI governance shows up in fewer shared credentials, shorter secret lifetimes, clear ownership for every machine identity, and offboarding that actually removes unused accounts.

Practitioner guidance

• Build a complete NHI inventory across collaboration, code, and cloud systems Search for service accounts, tokens, API keys, certificates, and bot credentials in repositories, tickets, chat tools, and vaults.
• Break shared-use machine identities into one identity per application Eliminate cross-application reuse wherever possible, especially for credentials that touch production data or privileged systems.
• Link rotation to decommissioning and ownership checks Do not stop at secret rotation.

What's in the full article

Delinea's full analysis covers the operational detail this post intentionally leaves for the source:

• The full OWASP NHI Top 10 table with Delinea's control mapping for each issue
• Examples of how discovery, vaulting, and monitoring are positioned across its platform capabilities
• The article's discussion of PAM, ITDR, IGA, GRC, and CIEM as a combined NHI strategy
• The vendor's specific framing of AI, DevOps, and cloud-native identity risk

👉 Read Delinea's analysis of non-human identity governance and machine sprawl →

NHI sprawl and lifecycle gaps: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →