TL;DR: NHIs now outnumber human users by 45:1 to 100:1 in cloud environments, while 95% of cloud identities are over-privileged and 80% of breaches involve compromised identities, according to Andromeda Security. The control problem is no longer secret rotation alone. Blast-radius reduction, ownership, and lifecycle governance are now the decisive variables in NHI security.
NHIMG editorial — based on content published by Andromeda Security: Non-Human Identity Security: Critical Risk Brief
By the numbers:
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
- 95% of cloud identities are over-privileged, increasing the attack blast radius.
- 80% of breaches involve compromised identities.
Questions worth separating out
Q: How should security teams govern non-human identities in cloud environments?
A: Security teams should treat non-human identities as first-class governed assets, not implementation details.
Q: Why do over-privileged service accounts increase breach impact?
A: Over-privileged service accounts increase breach impact because the credential is only the entry point.
Q: What breaks when non-human identities have no offboarding process?
A: When non-human identities have no offboarding process, credentials remain valid after the workload, vendor relationship, or project has ended.
Practitioner guidance
- Inventory every non-human identity across code and cloud Build a complete inventory of service accounts, API keys, OAuth tokens, certificates, and workload identities across applications, CI/CD, and cloud accounts.
- Right-size entitlements before you rotate secrets Review the permissions attached to each NHI and remove privileges that are never used.
- Put offboarding on the machine identity lifecycle Require a decommissioning step for every NHI when a project ends, a vendor relationship changes, or a workload is retired.
What's in the full article
Andromeda Security's full article covers the operational detail this post intentionally leaves for the source:
- Breakdown of the control gaps behind NHI sprawl across cloud, DevOps, and AI workflows
- Operational recommendations for discovery, entitlement right-sizing, and lifecycle ownership
- The article's framing of business impact across compliance, cloud cost, and lateral movement
- Source examples and supporting evidence behind the stated breach patterns
👉 Read Andromeda Security's risk brief on non-human identity security →
NHI sprawl and over-privilege: what IAM teams need to fix?
Explore further
NHI sprawl has become a governance problem, not a tooling problem. The article is right to treat volume as part of the risk, but scale only becomes dangerous when organisations cannot inventory, classify, and own what they expose. NHIs now outnumber human identities by orders of magnitude, which means the attack surface grows faster than most IAM programmes can absorb. The practical conclusion is that discovery and accountability must precede any other control investment.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: How do teams know if NHI governance is actually working?
A: Teams know NHI governance is working when they can answer three questions quickly: who owns each identity, what permissions it actually uses, and how it will be retired. If discovery is incomplete, entitlements are broad, or offboarding is manual and inconsistent, the programme is still carrying hidden exposure rather than controlling it.
👉 Read our full editorial: Non-human identity risk is outpacing cloud governance controls