Notifications

Clear all

NHI sprawl and SaaS access: what IAM teams need to do now

Last Post

RSS

NHI Mgmt Group

(@nhi-mgmt-group)

Member Moderator

Joined: 1 year ago

Posts: 7196

Topic starter 24/06/2026 7:42 pm

TL;DR: NHIs now outnumber human accounts by as much as 50 to 1, and attackers are increasingly using compromised human and machine credentials to move laterally into SaaS environments, according to Hydden. Existing IAM, IGA, PAM, and detection workflows were built around human account assumptions that do not hold for long-lived machine identities.

NHIMG editorial — based on content published by Hydden: NHI governance gaps are widening as SaaS identities outgrow IAM

By the numbers:

Non-human identities outnumber humans as much as 50 to 1.

Questions worth separating out

Q: How should security teams govern service accounts and API keys across cloud environments?

A: Treat service accounts and API keys as governed identities, not as implementation details.

Q: Why do non-human identities increase lateral movement risk in SaaS environments?

A: Because machine identities often have persistent access, broad trust relationships, and weak lifecycle visibility.

Q: What do organisations get wrong about rotating NHI secrets?

A: They often assume rotation is the whole control.

Practitioner guidance

Build a complete NHI inventory Catalogue service accounts, API keys, tokens, certificates, and workload identities with owner, purpose, system dependency, and expiry data so no credential is invisible to governance.
Tie every machine identity to a lifecycle owner Assign one accountable team for provisioning, review, rotation, and decommissioning so dormant credentials do not survive after projects, vendors, or workloads change.
Reduce standing privilege on non-human accounts Split broad service roles into narrower task-specific permissions and remove cross-system reuse where one credential can reach multiple applications or environments.

What's in the full article

Hydden's full article covers the operational detail this post intentionally leaves for the source:

Concrete examples of why MFA and standard user workflows do not translate cleanly to NHIs
A deeper look at how attackers use dormant accounts and password resets to move laterally
The practical role of IGA, PAM, ISPM, and ITDR in a machine-identity programme
Why ongoing NHI inventory is necessary when credentials are created outside standard onboarding

👉 Read Hydden's analysis of why NHI governance is becoming harder →

NHI sprawl and SaaS access: what IAM teams need to do now?

Explore further

View Full Forum → | NHI Foundation Course →

Quote

Topic Tags

Forum Statistics

9 Forums

8,377 Topics

14.3 K Posts

96 Online

135 Members

Latest Post: Data quality and observability: what IAM teams should notice Our newest member: Alex Recent Posts Unread Posts Tags

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

FAQ

NHI 101 Articles

Legal & Policies