Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

NHI sprawl and SaaS access: what IAM teams need to do now


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: NHIs now outnumber human accounts by as much as 50 to 1, and attackers are increasingly using compromised human and machine credentials to move laterally into SaaS environments, according to Hydden. Existing IAM, IGA, PAM, and detection workflows were built around human account assumptions that do not hold for long-lived machine identities.

NHIMG editorial — based on content published by Hydden: NHI governance gaps are widening as SaaS identities outgrow IAM

By the numbers:

Questions worth separating out

Q: How should security teams govern service accounts and API keys across cloud environments?

A: Treat service accounts and API keys as governed identities, not as implementation details.

Q: Why do non-human identities increase lateral movement risk in SaaS environments?

A: Because machine identities often have persistent access, broad trust relationships, and weak lifecycle visibility.

Q: What do organisations get wrong about rotating NHI secrets?

A: They often assume rotation is the whole control.

Practitioner guidance

  • Build a complete NHI inventory Catalogue service accounts, API keys, tokens, certificates, and workload identities with owner, purpose, system dependency, and expiry data so no credential is invisible to governance.
  • Tie every machine identity to a lifecycle owner Assign one accountable team for provisioning, review, rotation, and decommissioning so dormant credentials do not survive after projects, vendors, or workloads change.
  • Reduce standing privilege on non-human accounts Split broad service roles into narrower task-specific permissions and remove cross-system reuse where one credential can reach multiple applications or environments.

What's in the full article

Hydden's full article covers the operational detail this post intentionally leaves for the source:

  • Concrete examples of why MFA and standard user workflows do not translate cleanly to NHIs
  • A deeper look at how attackers use dormant accounts and password resets to move laterally
  • The practical role of IGA, PAM, ISPM, and ITDR in a machine-identity programme
  • Why ongoing NHI inventory is necessary when credentials are created outside standard onboarding

👉 Read Hydden's analysis of why NHI governance is becoming harder →

NHI sprawl and SaaS access: what IAM teams need to do now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

NHI governance is failing because many programmes still treat machine identities as a technical byproduct, not a governed identity class. That is the real gap behind secret sprawl, overprivilege, and orphaned access. When NHIs are created outside human onboarding workflows, lifecycle ownership becomes implicit and review coverage becomes partial. The implication is that identity governance cannot stop at employee accounts.

A few things that frame the scale:

  • Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
  • Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, which shows how one identity failure can become a recurring access problem.

A question worth separating out:

Q: Who is accountable when a compromised machine identity is used to reach sensitive systems?

A: Accountability should sit with the team that owns the workload and the identity lifecycle, not just with the security team that detected the abuse. If the credential was created, stored, or reused without clear ownership, the governance failure is shared across engineering, platform, and identity functions. Clear ownership is what makes review and remediation possible.

👉 Read our full editorial: NHI governance gaps are widening as SaaS identities outgrow IAM



   
ReplyQuote
Share: