NHI sprawl and visibility gaps: what IAM teams need to know

TL;DR: As machines, APIs, bots, and IoT devices outnumber human users, SPHERE argues that non-human identities are becoming a primary cybersecurity blind spot, with attackers exploiting weak ownership, poor visibility, and inadequate entitlement oversight. The governance model now has to shift from account inventory to identity intelligence, or NHI risk will keep outrunning conventional IAM controls.

NHIMG editorial — based on content published by SPHERE: The Impact of the Exponential Growth of Non-Human Identities

By the numbers:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.

Questions worth separating out

Q: How should security teams govern non-human identities at enterprise scale?

A: Security teams should govern NHIs as a distinct identity population with inventory, ownership, entitlement review, and lifecycle controls.

Q: Why do non-human identities create more governance risk than human accounts?

A: NHIs create more governance risk because they scale faster, change more often, and are commonly managed outside human-centric IAM processes.

Q: What do organisations get wrong about entitlement reviews for machine identities?

A: They often review the credential holder without checking whether the underlying workload still needs the access.

Practitioner guidance

• Inventory all NHIs across infrastructure and application layers Build a live register for bots, APIs, certificates, service accounts, SSH keys, and IoT identities, then tie each record to a business owner and technical steward.
• Map every NHI to an entitlement purpose Require a documented reason for access that explains why the identity exists, what it can reach, and when its access should end.
• Review privileged machine access on a fixed governance cadence Use access reviews to identify stale, duplicated, or overbroad NHI entitlements, then remove identities that no longer match an active workload or integration.

What's in the full article

SPHERE's full article covers the operational detail this post intentionally leaves for the source:

• The article's specific examples of machine identities, including bots, APIs, and IoT devices, in the context of enterprise sprawl
• SPHERE's own framing of identity intelligence and how it connects visibility, ownership mapping, and entitlement auditing
• Additional context on why NHIs fall outside traditional identity frameworks and how that changes governance priorities

👉 Read SPHERE's analysis of why exponential NHI growth is exposing governance blind spots →

NHI sprawl and visibility gaps: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →